CVE-2025-35432
BaseFortify
Publication date: 2025-09-17
Last updated on: 2025-09-23
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisa | thorium | 1.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in CISA Thorium allows a remote unauthenticated attacker to send unlimited account verification email messages to a user who is pending verification because the system does not rate limit these requests. This means an attacker can abuse the feature to send excessive emails until the issue is fixed. The problem was fixed in version 1.1.1 by adding a default rate limit of 10 minutes between such requests.
How can this vulnerability impact me? :
The vulnerability can lead to abuse where an attacker sends a large number of verification emails to a user, potentially causing email spam, annoyance, or denial of service to the user's email inbox. It may also increase resource usage on the server handling these requests. However, it does not directly impact confidentiality or integrity of data.
What immediate steps should I take to mitigate this vulnerability?
Upgrade CISA Thorium to version 1.1.1 or later, which includes a default rate limit of 10 minutes on sending account verification email messages to prevent abuse by remote unauthenticated attackers.