CVE-2025-27399
Mastodon's domain blocks & rationales ignore user approval when visibility set as "users"
5.3
MEDIUM
CVSS 3.1
EPSS 0.45%
Description
Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block reasons. Instance admins that do not want their domain blocks to be public are impacted. Versions 4.1.23, 4.2.16, and 4.3.4 fix the issue.
How to fix CVE-2025-27399
To remediate CVE-2025-27399, upgrade the affected package to a fixed version below.
- —upgrade to 4.3.4 or later
Is CVE-2025-27399 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.3.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
References (5)
- WEBgithub.com/mastodon/mastodon/blob/93f0427b8a84faf68d5d02cdf9a26f98fae16f2b/app/controllers/api/v1/instances/domain_blocks_controller.rb#L33-L35
- WEBgithub.com/mastodon/mastodon/blob/93f0427b8a84faf68d5d02cdf9a26f98fae16f2b/app/controllers/api/v1/instances/domain_blocks_controller.rb#L49-L51
- WEBgithub.com/mastodon/mastodon/commit/6b519cfefa93a923b19d0f20c292c7185f8fd5f5