Login Sign Up

CVE-2025-27399

5.3 MEDIUM
Authentication Bypass

📋 TL;DR

Mastodon instances with domain block visibility set to 'users' (logged-in users) inadvertently expose block reasons to unapproved users. This affects instance administrators who want to keep domain blocks private from non-approved users.

💻 Affected Systems

Products:
  • Mastodon
Versions: Versions prior to 4.1.23, 4.2.16, and 4.3.4
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only affects instances where domain block visibility is set to 'users' (logged-in users).

📦 What is this software?

Mastodon by Joinmastodon

View all CVEs affecting Mastodon →

Mastodon by Joinmastodon

View all CVEs affecting Mastodon →

Mastodon by Joinmastodon

View all CVEs affecting Mastodon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unapproved users could view sensitive domain block reasons, potentially revealing moderation strategies or internal policies to unauthorized individuals.

🟠

Likely Case

Unapproved users gain unintended visibility into domain block reasons that administrators intended to keep private from them.

🟢

If Mitigated

With proper access controls, only approved users can view domain block reasons as intended.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires an unapproved user account and domain blocks configured with 'users' visibility.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.23, 4.2.16, or 4.3.4

Vendor Advisory: https://github.com/mastodon/mastodon/security/advisories/GHSA-94h4-fj37-c825

Restart Required: Yes

Instructions:

1. Backup your Mastodon instance. 2. Update to version 4.1.23, 4.2.16, or 4.3.4 depending on your current major version. 3. Restart the Mastodon services.

🔧 Temporary Workarounds

Change domain block visibility

all

Set domain block visibility to 'public' or 'disabled' instead of 'users' to prevent exposure to unapproved users.

🧯 If You Can't Patch

  • Change domain block visibility settings to 'public' or 'disabled' instead of 'users'
  • Temporarily disable new user registrations or approval processes

🔍 How to Verify

Check if Vulnerable:

Check Mastodon version and verify if domain block visibility is set to 'users' for any blocks.

Check Version:

Check Mastodon admin interface or run appropriate version check for your deployment method.

Verify Fix Applied:

Confirm Mastodon version is 4.1.23, 4.2.16, or 4.3.4 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to domain block API endpoints by unapproved users

Network Indicators:

  • API requests to /api/v1/instances/domain_blocks from unapproved user accounts

SIEM Query:

source="mastodon" AND (uri_path="/api/v1/instances/domain_blocks" OR endpoint="domain_blocks") AND user_status="unapproved"

📊 Metadata

CVE ID: CVE-2025-27399
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200
EPSS Score: 0.24% exploit probability (46.5th percentile)
Published: February 27, 2025
Last Updated: June 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27399, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)