CVE-2024-25619: 
NixOS vulnerability analysis and mitigation

CVE-2024-25619 affects Mastodon, a free, open-source social network server based on ActivityPub. The vulnerability was discovered and disclosed on February 14, 2024, impacting all versions prior to 4.2.6, 4.1.14, 4.0.14, and 3.5.18. The issue occurs when an OAuth Application is destroyed, where the streaming server isn't properly notified about the destruction of associated Access Tokens (GitHub Advisory).

The vulnerability stems from Doorkeeper's configuration using 'dependent: delete_all' for the relationship between Applications and Access Tokens. This configuration prevents the 'after_commit' callback in AccessTokenExtension from firing since 'delete_all' doesn't trigger ActiveRecord callbacks. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) by NIST and 3.1 (LOW) by GitHub, with a vector string of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N. The weakness has been categorized under CWE-613 (Insufficient Session Expiration) and CWE-672 (Operation on a Resource after Expiration or Release) (NVD).

The impact of this vulnerability allows an application to continue listening to streaming after the application has been destroyed. However, the impact is considered negligible as the affected application had to be owned by the user themselves. The vulnerability primarily affects the confidentiality aspect of the system, with no direct impact on integrity or availability (GitHub Advisory).

The vulnerability has been patched in Mastodon versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. The fix involves adding a 'before_destroy' callback to ApplicationExtension which announces to streaming that all the Application's Access Tokens are being terminated. There are no known workarounds for this vulnerability, and users are advised to upgrade to the patched versions (NVD).