CVE-2025-27157 Information

Description

Mastodon is a self-hosted federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4 the rate limits are missing on /auth/setup. Without those rate limits an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.

Reference

https://github.com/mastodon/mastodon/commit/06f879ce9bea195344ac9f71e6799eea500628ec https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h