cbcvebase.
CVE-2025-27157
published 2025-02-27

CVE-2025-27157: Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on…

PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.34%
25.6th percentile
Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
joinmastodonmastodon>= 4.2.0 < 4.2.164.2.16
joinmastodonmastodon>= 4.3.0 < 4.3.44.3.4
mastodonmastodon
mastodonmastodon
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.