Mastodon allows continued access after password reset via CLI

3.5 / 10

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Description

Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts modify --reset-password`, active sessions and access tokens for that account are not revoked. This allows an attacker with access to a previously compromised session or token to continue using the account after the password has been reset. This issue has been patched in versions 4.2.27, 4.3.14, and 4.4.6. No known workarounds exist.

Basic Information

ID CVE-2025-62174

Source GitHub_M

Published Oct 13, 2025 at 20:54

Modified Oct 13, 2025 at 21:01

Affected Product

Vendor mastodon

Product mastodon

Version >= 4.4.0-beta.1, < 4.4.6

Affected Versions mastodon mastodon >= 4.4.0-beta.1, < 4.4.6
mastodon mastodon >= 4.3.0-beta.1, < 4.3.14
mastodon mastodon < 4.2.27

CWE Classification

CWE-613

References

{
    "lastseen": "",
    "description": "Mastodon is a free, open-source social network server based on ActivityPub.  In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts modify --reset-password`, active sessions and access tokens for that account are not revoked. This allows an attacker with access to a previously compromised session or token to continue using the account after the password has been reset. This issue has been patched in versions 4.2.27, 4.3.14, and 4.4.6. No known workarounds exist.",
    "published": "2025-10-13T20:54:36.040Z",
    "modified": "2025-10-13T21:01:05.528Z",
    "type": "cve",
    "title": "Mastodon allows continued access after password reset via CLI",
    "source": "GitHub_M",
    "references": "https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q3-rmf7-9655\nhttps://github.com/mastodon/mastodon/commit/1631fb80e8029d2c5425a03a2297b93f7e225217",
    "id": "CVE-2025-62174",
    "bulletinFamily": "",
    "cwe": [
        "CWE-613"
    ],
    "cvelist": null,
    "sourceData": "mastodon mastodon >= 4.4.0-beta.1, < 4.4.6\nmastodon mastodon >= 4.3.0-beta.1, < 4.3.14\nmastodon mastodon < 4.2.27",
    "sourceHref": "",
    "cvss": {
        "score": 3.5,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "mastodon",
    "version": ">= 4.4.0-beta.1, < 4.4.6",
    "vendor": "mastodon",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Mastodon allows continued access after password reset via CLI_CVE-2025-62174