CVE-2024-24769
Deferred Deferred - Pending Action

MFA Token Reset Email Flooding in vantage6

Vulnerability report for CVE-2024-24769, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description

vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, users can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a lot of emails, and would have adverse effects on the SMTP server which may be seen as spam sender. Note resetting the MFA token requires a correct password, so the potential impact for this is very low. Version 5.0.0 fixes the issue. No known workarounds are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-23
Generated
2026-07-08
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-06
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vantage6 vantage6 to 5.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in vantage6, an open-source infrastructure for privacy preserving analysis. Before version 5.0.0, users could reset their MFA (Multi-Factor Authentication) token via API routes that send them an email. However, there was no limit on the number of emails that could be sent, allowing attackers to flood a user's mailbox with many emails.

Although resetting the MFA token requires the correct password, the unlimited email sending could overwhelm the user's mailbox and negatively affect the SMTP server, potentially causing it to be flagged as a spam sender.

This issue was fixed in version 5.0.0 of vantage6.

Impact Analysis

The primary impact of this vulnerability is that an attacker could flood a user's mailbox with a large number of MFA reset emails, which could overwhelm the mailbox and disrupt normal email usage.

Additionally, the SMTP server used to send these emails could be adversely affected and might be seen as a spam sender, potentially impacting email deliverability for legitimate messages.

However, since resetting the MFA token requires the correct password, the overall potential impact of this vulnerability is considered very low.

Mitigation Strategies

The vulnerability is fixed in vantage6 version 5.0.0. Upgrading to this version or later is the recommended mitigation step.

No known workarounds are available.

Compliance Impact

The vulnerability allows an attacker to flood a user's mailbox with multiple MFA reset emails, potentially causing spam issues and adverse effects on the SMTP server. However, since resetting the MFA token requires the correct password, the potential impact is very low.

There is no direct information provided about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the ability to reset MFA tokens via API routes that send emails without limitation, potentially flooding a mailbox or SMTP server.

Detection could involve monitoring for unusual volumes of MFA reset email requests or SMTP traffic originating from vantage6 API endpoints.

Since the vulnerability requires a correct password to reset MFA tokens, attempts to exploit it would generate multiple legitimate MFA reset email requests.

  • Monitor SMTP server logs for a high volume of MFA reset emails sent from vantage6.
  • Check API access logs for repeated MFA reset requests from the same user or IP address.
  • Use network monitoring tools to detect spikes in outbound email traffic related to vantage6.

Specific commands depend on your environment, but examples include:

  • On a Linux mail server, use: sudo grep 'MFA reset' /var/log/mail.log | grep vantage6
  • To check API logs: grep 'reset MFA' /path/to/vantage6/api/logs.log
  • Use network monitoring tools like tcpdump or Wireshark to filter SMTP traffic: tcpdump -i eth0 port 25 and host <vantage6-server-ip>

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-24769. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart