- Description
- Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 5.3
- Impact score
- 1.4
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- Severity
- MEDIUM
- security-advisories@github.com
- CWE-770
- Hype score
- Not currently trending
🚨 CVE-2025-27157 🟠 MEDIUM (5.3) 🏢 mastodon - mastodon 🏗️ >= 4.2.0, < 4.2.16 🔗 https://t.co/1r2vUGeZPh 🔗 https://t.co/2eMY0xU692 #CyberCron #VulnAlert https://t.co/86yZzLOZ1N
@cybercronai
1 Mar 2025
120 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
1 Quote
New post from https://t.co/uXvPWJy6tj (CVE-2025-27157 | Mastodon up to 4.2.15/4.3.3 /auth/setup allocation of resources (GHSA-v39f-c9jj-8w7h)) has been published on https://t.co/18PWVGhW4P
@WolfgangSesin
28 Feb 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "53633344-6503-4CB1-A5AD-3398E3819069",
"versionEndExcluding": "4.2.16",
"versionStartIncluding": "4.2.0"
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "97C4389D-7EB8-4E02-8DC8-DA1E39429AE9",
"versionEndExcluding": "4.3.4",
"versionStartIncluding": "4.3.0"
}
],
"operator": "OR"
}
]
}
]