PT-2025-8976 · Mastodon · Mastodon

227Abdulrahuman

Published

2025-02-27

Updated

2025-03-02

CVE-2025-27157

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions Mastodon versions 4.2.0 through 4.2.15 Mastodon versions 4.3.0 through 4.3.3

Description The issue concerns missing rate limits on the "/auth/setup" API endpoint, allowing an attacker to send emails to arbitrary addresses by crafting specific requests.

Recommendations For Mastodon versions 4.2.0 through 4.2.15, update to version 4.2.16 or later. For Mastodon versions 4.3.0 through 4.3.3, update to version 4.3.4 or later. As a temporary workaround, consider restricting access to the "/auth/setup" endpoint until a patch is available.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

BIT-MASTODON-2025-27157

CVE-2025-27157

GHSA-V39F-C9JJ-8W7H

Affected Products

Mastodon

PT-2025-8976 · Mastodon · Mastodon

CVE-2025-27157

Weakness Enumeration

Related Identifiers

Affected Products

References · 9