Unrated severityNVD Advisory· Published Feb 27, 2025· Updated Feb 27, 2025

Mastodon's rate-limits are missing on `/auth/setup`

CVE-2025-27157

Description

Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on /auth/setup. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.

Affected products

Mastodon/Mastodonv5
Range: >= 4.2.0, < 4.2.16

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/mastodon/mastodon/commit/06f879ce9bea195344ac9f71e6799eea500628ecmitrex_refsource_MISC
github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7hmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000