Primary

Context

Mastodon Streaming Server OAuth Scope Bypass Vulnerability

Vulnerability

A vulnerability exists in the Mastodon streaming server in versions prior to 4.4.6, 4.3.14, and 4.2.27. The issue allows OAuth clients to subscribe to public timelines using any valid authentication token, even if the token does not include the necessary read:statuses scope. This could result in unauthorized access to new public posts on the timelines, particularly in limited-federation environments.

Impact

Exploitation of this vulnerability could lead to unauthorized access to public posts on limited-federation timelines.

Reproduction

To reproduce this vulnerability, use an OAuth client with a valid token that lacks the read:statuses scope. Subscribe to a public channel on the streaming server. The subscription will be accepted, and events for new public posts will be received, despite the absence of the required read scope.

Remediation

Users can update to Mastodon versions 4.4.6, 4.3.14, or 4.2.27 to address this vulnerability.

Added: Oct 13, 2025, 9:20 PM

Updated: Oct 13, 2025, 9:20 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.3

remediation

7.7

relevance

0.7

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.3

remediation

7.7

relevance

0.7

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mastodon Streaming Server OAuth Scope Bypass Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating