CVE-2025-27157

Medium CVSS: 5.3

Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.

Vendor

Joinmastodon

Product

Mastodon

CWE

CWE-770

Yayın Tarihi

2025-02-27 17:15:16

Güncelleme

2025-06-24 15:59:59

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-770 Mastodon MEDIUM Joinmastodon 2025

Referanslar

https://github.com/mastodon/mastodon/commit/06f879ce9bea195344ac9f71e6799eea500628ec https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h

Benzer Kayıtlar

Medium

CVE-2026-33868

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21,…

Medium

CVE-2026-33869

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5…

Medium

CVE-2026-27477

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval b…

Medium

CVE-2026-27468

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval b…

Medium

CVE-2026-25540

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mas…

High

CVE-2026-23962

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, a…