Home > Vulnerability Database > CVE-2025-27157

Mend.io Vulnerability Database

CVE-2025-27157

Date: February 27, 2025

Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on "/auth/setup". Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.

Severity Score

5.3

Related Resources (4)

Url: https://github.com/mastodon/mastodon/commit/06f879ce9bea195344ac9f71e6799eea500628ec

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-27157

Url: https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h

Url: https://www.mend.io/vulnerability-database/CVE-2025-27157

Severity Score

5.3

Weakness Type (CWE)

Allocation of Resources Without Limits or Throttling

CWE-770

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-27157

Date: February 27, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?