Moodle: moodle: brute-force facilitation due to missing rate limiting in confirmation email service
Description
A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle lacks rate limiting in its confirmation email service, enabling remote attackers to enumerate or guess user credentials via brute-force attacks.
Vulnerability
Overview
CVE-2025-67853 describes a missing rate-limiting control in Moodle's confirmation email service. The endpoint responsible for sending confirmation emails does not enforce any throttling mechanism, allowing an attacker to submit repeated requests without restriction. This flaw stems from a design oversight where the service fails to limit the frequency of email confirmation requests, as noted in the Red Hat advisory [1] and the NVD entry [2].
Exploitation
Prerequisites
An attacker can exploit this vulnerability remotely without requiring prior authentication. By sending a high volume of confirmation email requests for known or guessed email addresses, the attacker can observe differences in server responses (e.g., timing, error messages) to determine whether an account exists. This enumeration technique reduces the search space for subsequent brute-force password attacks. The Bugzilla report [4] confirms that the endpoint provides less resistance to credential guessing.
Impact
Successful exploitation allows an attacker to enumerate valid user accounts on the Moodle instance. With a list of valid usernames or email addresses, the attacker can then launch targeted brute-force attacks against those accounts, potentially gaining unauthorized access. The impact is heightened in environments where weak passwords are common or where multi-factor authentication is not enforced.
Mitigation
Status
As of the publication date (2026-02-03), no patch has been announced. Administrators are advised to implement additional rate-limiting controls at the web server or application firewall level, or to monitor for unusual spikes in confirmation email requests. The Moodle project may address this in a future release; users should track the official Moodle security announcements.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 4.1.22 | 4.1.22 |
moodle/moodlePackagist | >= 4.4.0-beta, < 4.4.12 | 4.4.12 |
moodle/moodlePackagist | >= 4.5.0-beta, < 4.5.8 | 4.5.8 |
moodle/moodlePackagist | >= 5.0.0-beta, < 5.0.4 | 5.0.4 |
moodle/moodlePackagist | >= 5.1.0-beta, < 5.1.1 | 5.1.1 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-5cx4-w4fh-fr57ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67853ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-67853ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.