Unrated severityNVD Advisory· Published Feb 27, 2025· Updated Feb 27, 2025
Mastodon's rate-limits are missing on `/auth/setup`
CVE-2025-27157
Description
Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on /auth/setup. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
References
2- github.com/mastodon/mastodon/commit/06f879ce9bea195344ac9f71e6799eea500628ecmitrex_refsource_MISC
- github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7hmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.