SB20250227245 - Multiple vulnerabilities in Mastodon



SB20250227245 - Multiple vulnerabilities in Mastodon

Published: February 27, 2025 Updated: April 23, 2026

Security Bulletin ID SB20250227245
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Partial DoS

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-27157)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in the sign-up email verification feature when handling requests to change or re-request email verification during the sign-up flow. A remote attacker can send crafted requests to cause a denial of service.

The issue can be abused to send email messages to arbitrary addresses.


2) Improper Authorization (CVE-ID: CVE-2025-27399)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose domain block information and rationales intended only for users.

The vulnerability exists due to improper authorization in the domain blocks and rationale visibility checks when handling requests for domain block information with visibility set to "users". A remote attacker can use an unconfirmed and unapproved account to access the domain blocks and rationales to disclose domain block information and rationales intended only for users.

The issue occurs when the instance is configured to show domain blocks or their rationales to logged-in users.


3) Input validation error (CVE-ID: N/A)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to conduct phishing attacks through top-level navigation.

The vulnerability exists due to improper input validation in the OEmbed HTML sanitization configuration when processing OEmbed embeds. A remote attacker can supply a crafted OEmbed containing an embed tag to conduct phishing attacks through top-level navigation.

Exploitation is only possible if the deployment environment is severely misconfigured.


Remediation

Install update from vendor's website.