fkie_cve-2025-54879
Vulnerability from fkie_nvd
Published
2025-08-06 00:15
Modified
2025-08-26 13:57
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3.
References
security-advisories@github.comhttps://github.com/mastodon/mastodon/commit/e2592419d93fb41be03c2f3ff6a122fecb0e0952Patch
security-advisories@github.comhttps://github.com/mastodon/mastodon/releases/tag/v4.4.3Release Notes
security-advisories@github.comhttps://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mgThird Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mgThird Party Advisory
Impacted products
Vendor Product Version
joinmastodon mastodon *
joinmastodon mastodon *
joinmastodon mastodon *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EB393D73-9059-4048-94D4-19C0A2745DF4",
              "versionEndExcluding": "4.2.24",
              "versionStartIncluding": "3.1.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D17CA7B4-059D-4529-9ECA-44038C156693",
              "versionEndExcluding": "4.3.11",
              "versionStartIncluding": "4.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E7D822E7-0994-4D10-8219-F1253026CC0C",
              "versionEndExcluding": "4.4.3",
              "versionStartIncluding": "4.4.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon\u0027s rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3."
    },
    {
      "lang": "es",
      "value": "Mastodon es un servidor de red social gratuito y de c\u00f3digo abierto basado en ActivityPub Mastodon, que facilita la configuraci\u00f3n LDAP para la autenticaci\u00f3n. En las versiones 3.1.5 a 4.2.24, 4.3.0 a 4.3.11 y 4.4.0 a 4.4.3, el sistema de limitaci\u00f3n de velocidad de Mastodon presenta un error cr\u00edtico de configuraci\u00f3n: la limitaci\u00f3n basada en correo electr\u00f3nico para los correos de confirmaci\u00f3n verifica incorrectamente la ruta de restablecimiento de contrase\u00f1a en lugar de la de confirmaci\u00f3n, lo que desactiva los l\u00edmites por correo electr\u00f3nico para las solicitudes de confirmaci\u00f3n. Esto permite a los atacantes eludir las limitaciones de velocidad rotando las direcciones IP y enviar correos de confirmaci\u00f3n ilimitados a cualquier direcci\u00f3n, ya que solo permanece activa una limitaci\u00f3n d\u00e9bil basada en IP (25 solicitudes cada 5 minutos). Esta vulnerabilidad permite ataques de denegaci\u00f3n de servicio que pueden saturar las colas de correo y facilitar el acoso a los usuarios mediante correos de confirmaci\u00f3n no deseados. Esto se ha corregido en las versiones 4.2.24, 4.3.11 y 4.4.3."
    }
  ],
  "id": "CVE-2025-54879",
  "lastModified": "2025-08-26T13:57:17.110",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-08-06T00:15:31.880",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/mastodon/mastodon/commit/e2592419d93fb41be03c2f3ff6a122fecb0e0952"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.