What is the severity of CVE-2024-25619?

The severity of CVE-2024-25619 is categorized as medium due to the potential for unauthorized access via stale access tokens.

How do I fix CVE-2024-25619?

To fix CVE-2024-25619, update to Mastodon version 3.5.19 or any version from 4.0.15 onwards.

What causes CVE-2024-25619?

CVE-2024-25619 is caused by the failure of the streaming server to be informed when OAuth Application access tokens are destroyed.

Who is affected by CVE-2024-25619?

Users of Mastodon versions prior to 3.5.19 and between 4.0.0 and 4.2.6 are affected by CVE-2024-25619.

What are the implications of CVE-2024-25619?

CVE-2024-25619 could allow previously authorized applications to continue accessing user resources, posing a security risk.

Vulnerability/
CVE-2024-25619

medium

4.3

CWE

613 672

EPSS

0.043%

14/2/2024

18/12/2024

CVE-2024-25619: Destroying OAuth Applications doesn't notify Streaming of Access Tokens being destroyed in mastodon

First published: Wed Feb 14 2024(Updated: )

Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed. Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a `dependent: delete_all` configuration, which means the `after_commit` callback setup on `AccessTokenExtension` didn't actually fire, since `delete_all` doesn't trigger ActiveRecord callbacks. To mitigate, we need to add a `before_destroy` callback to `ApplicationExtension` which announces to streaming that all the Application's Access Tokens are being "killed". Impact should be negligible given the affected application had to be owned by the user. None the less this issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workaround for this vulnerability.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Mastodon	<3.5.18
Mastodon	>=4.0.0<4.0.14
Mastodon	>=4.1.0<4.1.14
Mastodon	>=4.2.0<4.2.6

Remedy

https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-25619?
The severity of CVE-2024-25619 is categorized as medium due to the potential for unauthorized access via stale access tokens.
How do I fix CVE-2024-25619?
To fix CVE-2024-25619, update to Mastodon version 3.5.19 or any version from 4.0.15 onwards.
What causes CVE-2024-25619?
CVE-2024-25619 is caused by the failure of the streaming server to be informed when OAuth Application access tokens are destroyed.
Who is affected by CVE-2024-25619?
Users of Mastodon versions prior to 3.5.19 and between 4.0.0 and 4.2.6 are affected by CVE-2024-25619.
What are the implications of CVE-2024-25619?
CVE-2024-25619 could allow previously authorized applications to continue accessing user resources, posing a security risk.

agent/title
agent/references
agent/type
agent/weakness
agent/description
agent/first-publish-date
agent/author
agent/event
collector/epss-latest
source/FIRST
agent/epss
collector/mitre-cve
source/MITRE
agent/remedy
agent/severity
agent/last-modified-date
agent/softwarecombine
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/joinmastodon
canonical/mastodon
version/mastodon/4.0.0
version/mastodon/4.1.0
version/mastodon/4.2.0

Frequently Asked Questions

What is the severity of CVE-2024-25619?
The severity of CVE-2024-25619 is categorized as medium due to the potential for unauthorized access via stale access tokens.
How do I fix CVE-2024-25619?
To fix CVE-2024-25619, update to Mastodon version 3.5.19 or any version from 4.0.15 onwards.
What causes CVE-2024-25619?
CVE-2024-25619 is caused by the failure of the streaming server to be informed when OAuth Application access tokens are destroyed.
Who is affected by CVE-2024-25619?
Users of Mastodon versions prior to 3.5.19 and between 4.0.0 and 4.2.6 are affected by CVE-2024-25619.
What are the implications of CVE-2024-25619?
CVE-2024-25619 could allow previously authorized applications to continue accessing user resources, posing a security risk.

CVE-2024-25619: Destroying OAuth Applications doesn't notify Streaming of Access Tokens being destroyed in mastodon

Remedy

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-25619?

How do I fix CVE-2024-25619?

What causes CVE-2024-25619?

Who is affected by CVE-2024-25619?

What are the implications of CVE-2024-25619?

Company

Resources

Contact

Frequently Asked Questions

What is the severity of CVE-2024-25619?

How do I fix CVE-2024-25619?

What causes CVE-2024-25619?

Who is affected by CVE-2024-25619?

What are the implications of CVE-2024-25619?