CVE-2025-27399

Published Feb 27, 2025

Last updated a month ago

CVSS medium 5.3

Overview

Description
Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block reasons. Instance admins that do not want their domain blocks to be public are impacted. Versions 4.1.23, 4.2.16, and 4.3.4 fix the issue.
Source
security-advisories@github.com
NVD status
Received

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.3
Impact score
1.4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity
MEDIUM

Weaknesses

security-advisories@github.com
CWE-200

Social media

Hype score
Not currently trending

  1. CVE-2025-27399 Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users")

    @sehanshah1

    5 Mar 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 CVE-2025-27399 🟠 MEDIUM (5.3) 🏢 mastodon - mastodon 🏗️ < 4.1.23 🔗 https://t.co/bmLIH2RZKJ 🔗 https://t.co/ZsC8TF34yw 🔗 https://t.co/goZGrAi04c 🔗 https://t.co/V34Bioq9AY #CyberCron #VulnAlert https://t.co/8RNU809evo

    @cybercronai

    1 Mar 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-27399 Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users")

    @sehanshah1

    28 Feb 2025

    19 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-27399 Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approve

    @sehanshah1

    28 Feb 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. New post from https://t.co/uXvPWJy6tj (CVE-2025-27399 | Mastodon up to 4.1.22/4.2.15/4.3.3 information disclosure (GHSA-94h4-fj37-c825)) has been published on https://t.co/iy6bQixBq8

    @WolfgangSesin

    28 Feb 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-27399 Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "… https://t.co/JWZvGhPZGz

    @CVEnew

    27 Feb 2025

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References