CVE-2025-54879

Name of the Vulnerable Software and Affected Versions Mastodon versions 3.1.5 through 4.2.24 Mastodon versions 4.3.0 through 4.3.11 Mastodon versions 4.4.0 through 4.4.3

Description Mastodon’s rate-limiting system contains a configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path. This effectively disables per-email limits for confirmation requests, allowing attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address. Only a weak IP-based throttle (25 requests per 5 minutes) remains active. This enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam.

Recommendations Update to Mastodon version 4.2.24. Update to Mastodon version 4.3.11. Update to Mastodon version 4.4.3.