CVE-2025-27157

medium

Description

Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.

References

https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h

https://github.com/mastodon/mastodon/commit/06f879ce9bea195344ac9f71e6799eea500628ec

Details

Source: Mitre, NVD

Published: 2025-02-27

Updated: 2025-06-24

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Severity: Medium

EPSS

EPSS: 0.00053