CVE-2025-54879
BaseFortify
Publication date: 2025-08-06
Last updated on: 2025-08-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joinmastodon | mastodon | From 3.1.5 (inc) to 4.2.24 (exc) |
| joinmastodon | mastodon | From 4.3.0 (inc) to 4.3.11 (exc) |
| joinmastodon | mastodon | From 4.4.0 (inc) to 4.4.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Mastodon affects its rate-limiting system for confirmation emails. Due to a configuration error, the system checks the password reset path instead of the confirmation path for email-based throttling. As a result, the per-email limits for confirmation requests are effectively disabled, allowing attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address. Only a weak IP-based throttle remains active.
How can this vulnerability impact me? :
The vulnerability can lead to denial-of-service attacks by overwhelming mail queues with excessive confirmation emails. It can also facilitate user harassment through spam confirmation emails sent to any email address without effective rate limiting.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Mastodon to version 4.2.24, 4.3.11, or 4.4.3 or later, where the rate-limiting configuration error has been fixed. Until the upgrade, monitor and limit confirmation email requests manually to prevent abuse and consider implementing additional rate-limiting controls at the network or application level to mitigate spam and denial-of-service risks.