CVE-2025-54879 (GCVE-0-2025-54879)
Vulnerability from cvelistv5 – Published: 2025-08-05 23:39 – Updated: 2025-08-06 20:32
VLAI?
Summary
Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3.
Severity ?
5.3 (Medium)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54879",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T20:32:42.219873Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T20:32:56.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.1.5, \u003c 4.2.24"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.11"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon\u0027s rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T23:39:59.130Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg"
},
{
"name": "https://github.com/mastodon/mastodon/commit/e2592419d93fb41be03c2f3ff6a122fecb0e0952",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/e2592419d93fb41be03c2f3ff6a122fecb0e0952"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.4.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.3"
}
],
"source": {
"advisory": "GHSA-84ch-6436-c7mg",
"discovery": "UNKNOWN"
},
"title": "Mastodon e\u2011mail throttle misconfiguration allows unlimited email confirmations against unconfirmed emails"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54879",
"datePublished": "2025-08-05T23:39:59.130Z",
"dateReserved": "2025-07-31T17:23:33.475Z",
"dateUpdated": "2025-08-06T20:32:56.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-54879\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-06T00:15:31.880\",\"lastModified\":\"2025-08-26T13:57:17.110\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon\u0027s rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3.\"},{\"lang\":\"es\",\"value\":\"Mastodon es un servidor de red social gratuito y de c\u00f3digo abierto basado en ActivityPub Mastodon, que facilita la configuraci\u00f3n LDAP para la autenticaci\u00f3n. En las versiones 3.1.5 a 4.2.24, 4.3.0 a 4.3.11 y 4.4.0 a 4.4.3, el sistema de limitaci\u00f3n de velocidad de Mastodon presenta un error cr\u00edtico de configuraci\u00f3n: la limitaci\u00f3n basada en correo electr\u00f3nico para los correos de confirmaci\u00f3n verifica incorrectamente la ruta de restablecimiento de contrase\u00f1a en lugar de la de confirmaci\u00f3n, lo que desactiva los l\u00edmites por correo electr\u00f3nico para las solicitudes de confirmaci\u00f3n. Esto permite a los atacantes eludir las limitaciones de velocidad rotando las direcciones IP y enviar correos de confirmaci\u00f3n ilimitados a cualquier direcci\u00f3n, ya que solo permanece activa una limitaci\u00f3n d\u00e9bil basada en IP (25 solicitudes cada 5 minutos). Esta vulnerabilidad permite ataques de denegaci\u00f3n de servicio que pueden saturar las colas de correo y facilitar el acoso a los usuarios mediante correos de confirmaci\u00f3n no deseados. Esto se ha corregido en las versiones 4.2.24, 4.3.11 y 4.4.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.1.5\",\"versionEndExcluding\":\"4.2.24\",\"matchCriteriaId\":\"EB393D73-9059-4048-94D4-19C0A2745DF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.3.0\",\"versionEndExcluding\":\"4.3.11\",\"matchCriteriaId\":\"D17CA7B4-059D-4529-9ECA-44038C156693\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.4.0\",\"versionEndExcluding\":\"4.4.3\",\"matchCriteriaId\":\"E7D822E7-0994-4D10-8219-F1253026CC0C\"}]}]}],\"references\":[{\"url\":\"https://github.com/mastodon/mastodon/commit/e2592419d93fb41be03c2f3ff6a122fecb0e0952\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/mastodon/mastodon/releases/tag/v4.4.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54879\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-06T20:32:42.219873Z\"}}}], \"references\": [{\"url\": \"https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-06T16:14:05.680Z\"}}], \"cna\": {\"title\": \"Mastodon e\\u2011mail throttle misconfiguration allows unlimited email confirmations against unconfirmed emails\", \"source\": {\"advisory\": \"GHSA-84ch-6436-c7mg\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"mastodon\", \"product\": \"mastodon\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.1.5, \u003c 4.2.24\"}, {\"status\": \"affected\", \"version\": \"\u003e= 4.3.0, \u003c 4.3.11\"}, {\"status\": \"affected\", \"version\": \"\u003e= 4.4.0, \u003c 4.4.3\"}]}], \"references\": [{\"url\": \"https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg\", \"name\": \"https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/mastodon/mastodon/commit/e2592419d93fb41be03c2f3ff6a122fecb0e0952\", \"name\": \"https://github.com/mastodon/mastodon/commit/e2592419d93fb41be03c2f3ff6a122fecb0e0952\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/mastodon/mastodon/releases/tag/v4.4.3\", \"name\": \"https://github.com/mastodon/mastodon/releases/tag/v4.4.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon\u0027s rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-05T23:39:59.130Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-54879\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-06T20:32:56.740Z\", \"dateReserved\": \"2025-07-31T17:23:33.475Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-05T23:39:59.130Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…