Renchap

**Name of the Vulnerable Software and Affected Versions** Mastodon versions 3.1.5 through 4.2.24 Mastodon versions 4.3.0 through 4.3.11 Mastodon versions 4.4.0 through 4.4.3 **Description** Mastodon’s rate-limiting system contains a configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path. This effectively disables per-email limits for confirmation requests, allowing attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address. Only a weak IP-based throttle (25 requests per 5 minutes) remains active. This enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. **Recommendations** Update to Mastodon version 4.2.24. Update to Mastodon version 4.3.11. Update to Mastodon version 4.4.3.