CVE-2025-67500
📋 TL;DR
This vulnerability in Mastodon allows attackers to confirm the existence of private statuses by sending requests with non-English Accept-Language headers. While it doesn't reveal content or other properties, it leaks metadata about protected posts. All Mastodon instances running affected versions are vulnerable.
💻 Affected Systems
- Mastodon
📦 What is this software?
Mastodon by Joinmastodon
Mastodon by Joinmastodon
Mastodon by Joinmastodon
Mastodon by Joinmastodon
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map private statuses across a Mastodon instance, potentially identifying sensitive conversations or targeted individuals based on status existence patterns.
Likely Case
Limited information disclosure where attackers confirm whether specific private statuses exist, potentially enabling targeted harassment or reconnaissance.
If Mitigated
Minimal impact with proper patching - only metadata leakage prevented.
🎯 Exploit Status
Exploitation requires knowing specific status identifiers but doesn't require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.28, 4.3.15, 4.4.10, 4.5.3
Vendor Advisory: https://github.com/mastodon/mastodon/security/advisories/GHSA-gwhw-gcjx-72v8
Restart Required: Yes
Instructions:
1. Backup your Mastodon instance. 2. Update to patched version using your deployment method (Docker, manual, etc.). 3. Restart Mastodon services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Rate limiting
allImplement aggressive rate limiting on status endpoints to make enumeration impractical
WAF/Reverse proxy filtering
allBlock or monitor requests with non-English Accept-Language headers to status endpoints
🧯 If You Can't Patch
- Implement strict rate limiting on all status-related API endpoints
- Monitor logs for unusual patterns of requests with non-English Accept-Language headers
🔍 How to Verify
Check if Vulnerable:
Check Mastodon version against affected ranges. Test by sending GET request to /api/v1/statuses/[id] with non-English Accept-Language header and observing different error responses for existing vs non-existing statuses.Check Version:
For Docker: docker exec mastodon_web bundle exec rails -v | grep 'Mastodon'; For manual: cd /home/mastodon/live && RAILS_ENV=production bundle exec rails -v | grep 'Mastodon'Verify Fix Applied:
After patching, test with same method - should receive consistent error responses regardless of status existence.📡 Detection & Monitoring
Log Indicators:
- Multiple requests to /api/v1/statuses/ with varying IDs and non-English Accept-Language headers
- Pattern of 404 vs other error responses correlating with header changes
Network Indicators:
- Unusual volume of requests to status endpoints with Accept-Language headers like 'fr-FR', 'es-ES', 'de-DE'
SIEM Query:
source="mastodon.logs" AND (uri_path="/api/v1/statuses/*" OR uri_path="/api/v2/statuses/*") AND http_user_agent CONTAINS "Accept-Language: " AND NOT http_user_agent CONTAINS "Accept-Language: en"