CVE-2025-27157

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-27157

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27157.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-27157

Aliases

BIT-mastodon-2025-27157
GHSA-v39f-c9jj-8w7h

Published

2025-02-27T17:12:39.043Z

Modified

2026-04-10T05:23:47.164962Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Mastodon's rate-limits are missing on `/auth/setup`

Details

Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on /auth/setup. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27157.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-770"
    ]
}

References

Affected packages

Git / github.com/mastodon/mastodon

Affected ranges

Type

GIT

Repo

https://github.com/mastodon/mastodon

Events

Introduced

4fcc026f0f1b12a9de21a3af33375a9c8867dd55

Fixed

015858aef749b39e0a0ac662c8022ea0bf23b456

Database specific

{
    "versions": [
        {
            "introduced": "4.2.0"
        },
        {
            "fixed": "4.2.16"
        }
    ]
}

Type

GIT

Repo

https://github.com/mastodon/mastodon

Events

Introduced

ab36c152f9e5f9054798504354365dcaef4e5c43

Fixed

c1f398ae93d23ebb1ff5c7df5a32bc161a632980

Database specific

{
    "versions": [
        {
            "introduced": "4.3.0"
        },
        {
            "fixed": "4.3.4"
        }
    ]
}

Affected versions

v4.*

v4.2.0

v4.2.1

v4.2.10

v4.2.11

v4.2.12

v4.2.13

v4.2.14

v4.2.15

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.2.6

v4.2.7

v4.2.8

v4.2.9

v4.3.0

v4.3.1

v4.3.2

v4.3.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27157.json"

Git / github.com/tootsuite/mastodon

Affected ranges

Type

GIT

Repo

https://github.com/tootsuite/mastodon

Events

Introduced

4fcc026f0f1b12a9de21a3af33375a9c8867dd55

Fixed

015858aef749b39e0a0ac662c8022ea0bf23b456

Introduced

ab36c152f9e5f9054798504354365dcaef4e5c43

Fixed

c1f398ae93d23ebb1ff5c7df5a32bc161a632980

Database specific

{
    "versions": [
        {
            "introduced": "4.2.0"
        },
        {
            "fixed": "4.2.16"
        },
        {
            "introduced": "4.3.0"
        },
        {
            "fixed": "4.3.4"
        }
    ]
}

Affected versions

v4.*

v4.2.0

v4.2.1

v4.2.10

v4.2.11

v4.2.12

v4.2.13

v4.2.14

v4.2.15

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.2.6

v4.2.7

v4.2.8

v4.2.9

v4.3.0

v4.3.1

v4.3.2

v4.3.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27157.json"