SB20250227245 - Multiple vulnerabilities in Mastodon
Published: February 27, 2025 Updated: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-27157)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the sign-up email verification feature when handling requests to change or re-request email verification during the sign-up flow. A remote attacker can send crafted requests to cause a denial of service.
The issue can be abused to send email messages to arbitrary addresses.
2) Improper Authorization (CVE-ID: CVE-2025-27399)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose domain block information and rationales intended only for users.
The vulnerability exists due to improper authorization in the domain blocks and rationale visibility checks when handling requests for domain block information with visibility set to "users". A remote attacker can use an unconfirmed and unapproved account to access the domain blocks and rationales to disclose domain block information and rationales intended only for users.
The issue occurs when the instance is configured to show domain blocks or their rationales to logged-in users.
3) Input validation error (CVE-ID: N/A)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to conduct phishing attacks through top-level navigation.
The vulnerability exists due to improper input validation in the OEmbed HTML sanitization configuration when processing OEmbed embeds. A remote attacker can supply a crafted OEmbed containing an embed tag to conduct phishing attacks through top-level navigation.
Exploitation is only possible if the deployment environment is severely misconfigured.
Remediation
Install update from vendor's website.