VYPR
Unrated severityNVD Advisory· Published Feb 27, 2025· Updated Feb 27, 2025

Mastodon's rate-limits are missing on `/auth/setup`

CVE-2025-27157

Description

Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on /auth/setup. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Mastodon/Mastodonllm-fuzzy2 versions
    >=4.2.0, <4.2.16 or >=4.3.0, <4.3.4+ 1 more
    • (no CPE)range: >=4.2.0, <4.2.16 or >=4.3.0, <4.3.4
    • (no CPE)range: >= 4.2.0, < 4.2.16
  • osv-coords
    Range: >= 4.2.0, < 4.3.4

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.