CVE-2025-27157

Published: 2025-02-27T17:15Z

Last Modified: 2025-02-27T17:15Z

Source: MITRE CVE List

License: MITRE-CVE-TOS

Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt