CVE-2025-27157 - Vulnerability Details - OpenCVE

Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://github.com/mastodon/mastodon/commit/06f879ce9bea195344ac9f71e6799eea500628ec
https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h

History

Tue, 04 Mar 2025 03:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 27 Feb 2025 17:15:00 +0000

Type	Values Removed	Values Added
Description		Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.
Title		Mastodon's rate-limits are missing on `/auth/setup`
Weaknesses		CWE-770
References		https://github.com/mastodon/mastodon/commit/06f879ce9bea195344ac9f71e6799eea500628ec https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-02-27T17:12:39.043Z

Updated: 2025-02-27T18:10:00.154Z

Reserved: 2025-02-19T16:30:47.780Z

Link: CVE-2025-27157

Vulnrichment

Updated: 2025-02-27T18:05:26.603Z

NVD

Status : Received

Published: 2025-02-27T17:15:16.867

Modified: 2025-02-27T17:15:16.867

Link: CVE-2025-27157

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27157", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-19T16:30:47.780Z", "datePublished": "2025-02-27T17:12:39.043Z", "dateUpdated": "2025-02-27T18:10:00.154Z"}, "containers": {"cna": {"title": "Mastodon's rate-limits are missing on `/auth/setup`", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h"}, {"name": "https://github.com/mastodon/mastodon/commit/06f879ce9bea195344ac9f71e6799eea500628ec", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/commit/06f879ce9bea195344ac9f71e6799eea500628ec"}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"version": ">= 4.2.0, < 4.2.16", "status": "affected"}, {"version": ">= 4.3.0, < 4.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-27T17:12:39.043Z"}, "descriptions": [{"lang": "en", "value": "Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue."}], "source": {"advisory": "GHSA-v39f-c9jj-8w7h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-27T18:04:56.696227Z", "id": "CVE-2025-27157", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-27T18:10:00.154Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27157", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-19T16:30:47.780Z", "datePublished": "2025-02-27T17:12:39.043Z", "dateUpdated": "2025-02-27T18:10:00.154Z"}, "containers": {"cna": {"title": "Mastodon's rate-limits are missing on `/auth/setup`", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h"}, {"name": "https://github.com/mastodon/mastodon/commit/06f879ce9bea195344ac9f71e6799eea500628ec", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/commit/06f879ce9bea195344ac9f71e6799eea500628ec"}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"version": ">= 4.2.0, < 4.2.16", "status": "affected"}, {"version": ">= 4.3.0, < 4.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-27T17:12:39.043Z"}, "descriptions": [{"lang": "en", "value": "Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue."}], "source": {"advisory": "GHSA-v39f-c9jj-8w7h", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27157", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-27T18:04:56.696227Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-27T18:05:26.603Z"}}]}}