Cyber Resilience

CVE-2025-54879

Medium

Published: 06 August 2025

Published
06 August 2025
Modified
26 August 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0041 61.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54879 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Joinmastodon Mastodon. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Email Bombing (T1667); ranked in the top 38.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical configuration error where the…

more

email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1667 Email Bombing Impact
Adversaries may flood targeted email addresses with an overwhelming volume of messages.
T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

Vulnerability misconfigures rate-limiting, allowing unauthenticated attackers to bypass per-email limits via IP rotation and spam unlimited confirmation emails, enabling email bombing (T1667) for harassment/queue overload and application exhaustion flood (T1499.003) via overwhelming mail queues.

Affected Assets

joinmastodon
mastodon
3.1.5 — 4.2.24 · 4.3.0 — 4.3.11 · 4.4.0 — 4.4.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-770

This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.

addresses: CWE-770

Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.

addresses: CWE-770

Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.

addresses: CWE-770

Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.

addresses: CWE-770

Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.

addresses: CWE-770

Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.

addresses: CWE-770

Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.

addresses: CWE-770

Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.

References