227Abdulrahuman

**Name of the Vulnerable Software and Affected Versions** Mastodon versions 4.2.0 through 4.2.15 Mastodon versions 4.3.0 through 4.3.3 **Description** The issue concerns missing rate limits on the "/auth/setup" API endpoint, allowing an attacker to send emails to arbitrary addresses by crafting specific requests. **Recommendations** For Mastodon versions 4.2.0 through 4.2.15, update to version 4.2.16 or later. For Mastodon versions 4.3.0 through 4.3.3, update to version 4.3.4 or later. As a temporary workaround, consider restricting access to the "/auth/setup" endpoint until a patch is available.