Primary

Context

Mastodon Error Handling Vulnerability Allows Existence Checks of Private Statuses

Vulnerability

An error handling vulnerability has been identified in Mastodon, a social network server based on ActivityPub. This issue affects versions 4.2.27 and prior, as well as 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, and 4.5.0-beta.1 through 4.5.2. The vulnerability allows an anonymous user to check the existence of private posts by sending a request with a non-English Accept-Language header. While this does not reveal the content of the status or any other properties, it enables confirmation of a status's existence based on its identifier.

Impact

The vulnerability allows for unauthorized existence checks of private statuses, potentially leading to privacy violations.

Remediation

Users can update to Mastodon versions 4.2.28, 4.3.15, 4.4.10, or 4.5.3 to address this vulnerability.

Added: Dec 10, 2025, 12:45 AM

Updated: Dec 10, 2025, 12:45 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

1.3

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

1.3

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mastodon Error Handling Vulnerability Allows Existence Checks of Private Statuses

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating