CVE-2025-54879

Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/mastodon/mastodon/commit/e2592419d93fb41be03c2f3ff6a122fecb0e0952	Patch
https://github.com/mastodon/mastodon/releases/tag/v4.4.3	Release Notes
https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg	Third Party Advisory
https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::

History

No history.

Information

Published : 2025-08-06 00:15

Updated : 2025-08-26 13:57

NVD link : CVE-2025-54879

Mitre link : CVE-2025-54879

CVE.ORG link : CVE-2025-54879

JSON object : View

Products Affected

joinmastodon

mastodon

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2025-54879", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-08-06T00:15:31.880", "references": [{"url": "https://github.com/mastodon/mastodon/commit/e2592419d93fb41be03c2f3ff6a122fecb0e0952", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.3", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg", "tags": ["Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3."}, {"lang": "es", "value": "Mastodon es un servidor de red social gratuito y de c\u00f3digo abierto basado en ActivityPub Mastodon, que facilita la configuraci\u00f3n LDAP para la autenticaci\u00f3n. En las versiones 3.1.5 a 4.2.24, 4.3.0 a 4.3.11 y 4.4.0 a 4.4.3, el sistema de limitaci\u00f3n de velocidad de Mastodon presenta un error cr\u00edtico de configuraci\u00f3n: la limitaci\u00f3n basada en correo electr\u00f3nico para los correos de confirmaci\u00f3n verifica incorrectamente la ruta de restablecimiento de contrase\u00f1a en lugar de la de confirmaci\u00f3n, lo que desactiva los l\u00edmites por correo electr\u00f3nico para las solicitudes de confirmaci\u00f3n. Esto permite a los atacantes eludir las limitaciones de velocidad rotando las direcciones IP y enviar correos de confirmaci\u00f3n ilimitados a cualquier direcci\u00f3n, ya que solo permanece activa una limitaci\u00f3n d\u00e9bil basada en IP (25 solicitudes cada 5 minutos). Esta vulnerabilidad permite ataques de denegaci\u00f3n de servicio que pueden saturar las colas de correo y facilitar el acoso a los usuarios mediante correos de confirmaci\u00f3n no deseados. Esto se ha corregido en las versiones 4.2.24, 4.3.11 y 4.4.3."}], "lastModified": "2025-08-26T13:57:17.110", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB393D73-9059-4048-94D4-19C0A2745DF4", "versionEndExcluding": "4.2.24", "versionStartIncluding": "3.1.5"}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D17CA7B4-059D-4529-9ECA-44038C156693", "versionEndExcluding": "4.3.11", "versionStartIncluding": "4.3.0"}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7D822E7-0994-4D10-8219-F1253026CC0C", "versionEndExcluding": "4.4.3", "versionStartIncluding": "4.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}