Configuration Flaw in Mastodon Open-Source Social Network Server
CVE-2025-54879

5.3MEDIUM

Key Information:

Vendor

Mastodon

Status
Mastodon
Vendor
CVE Published:
6 August 2025

What is CVE-2025-54879?

Mastodon, the free and open-source social network server, has a significant configuration error affecting its rate-limiting system. In the affected versions, the system incorrectly associates the email-based throttle for confirmation emails with the password reset path instead of the intended confirmation path. This faulty configuration allows attackers to bypass email request limits by utilizing multiple IP addresses, resulting in the potential for them to send an overwhelming volume of confirmation emails to any email address. While a basic IP-based throttle is in place, it is insufficient (allowing 25 requests per 5 minutes), leading to the risk of denial-of-service attacks that can saturate mail queues and contribute to user harassment via confirmation email spam. This vulnerability has been addressed in subsequent software versions.

Affected Version(s)

mastodon >= 3.1.5, < 4.2.24 < 3.1.5, 4.2.24

mastodon >= 4.3.0, < 4.3.11 < 4.3.0, 4.3.11

mastodon >= 4.4.0, < 4.4.3 < 4.4.0, 4.4.3

References

https://github.com/mastodon/mastodon/security/advisories/...
x_refsource_CONFIRM
https://github.com/mastodon/mastodon/commit/e2592419d93fb...
x_refsource_MISC
https://github.com/mastodon/mastodon/releases/tag/v4.4.3
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.