CVE-2025-62174

low-risk

Published 2025-10-13

Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts modify --reset-password`, active sessions and access tokens for that account are not revoked. This allows an attacker with access to a previously compromised session or token to continue using the account after the password has been reset. This issue has been patched in versions 4.2.27, 4.3.14, and 4.4.6. No known workarounds exist.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.5/10 Low

NETWORK / LOW complexity

Affected Products (1)

Mastodon

Affected Vendors

Joinmastodon

References (2)

Patch https://github.com/mastodon/mastodon/commit/1631fb80e8029d2c5425a03a2297b93f7e22...

Vendor Advisory https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q3-rmf7-9655

/ 100

low-risk

Severity 16/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal