CVE-2025-35432
📋 TL;DR
CVE-2025-35432 is an uncontrolled resource consumption vulnerability in CISA Thorium where unauthenticated attackers can send unlimited account verification emails to pending users. This allows denial-of-service attacks by flooding users with emails and potentially overwhelming email infrastructure. All Thorium deployments with pending user verification are affected.
💻 Affected Systems
- CISA Thorium
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Email infrastructure overwhelmed causing service disruption, user inboxes flooded with thousands of verification emails, potential for secondary attacks using verification links.
Likely Case
User annoyance from spam verification emails, moderate email server load increase, potential for temporary service degradation.
If Mitigated
Minimal impact with proper rate limiting, only legitimate verification requests processed.
🎯 Exploit Status
Simple HTTP request flooding to the verification endpoint. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.1
Vendor Advisory: https://github.com/cisagov/thorium/releases/tag/1.1.1
Restart Required: No
Instructions:
1. Backup current Thorium configuration. 2. Update Thorium to version 1.1.1 or later. 3. Verify the rate limiting is enabled in configuration. 4. Test verification email functionality.
🔧 Temporary Workarounds
Implement WAF/Proxy Rate Limiting
allAdd rate limiting rules at the web application firewall or reverse proxy level for the verification endpoint.
# Example nginx rate limiting
limit_req_zone $binary_remote_addr zone=verify:10m rate=1r/m;
location /api/verify {
limit_req zone=verify burst=5;
}
Disable Email Verification Temporarily
allTemporarily disable the email verification feature if not critically needed.
# Check Thorium configuration for verification settings
# Set verification.enabled = false in configuration
🧯 If You Can't Patch
- Implement network-level rate limiting for the verification endpoint using firewalls or load balancers.
- Monitor email server logs for unusual verification email volumes and implement alerting.
🔍 How to Verify
Check if Vulnerable:
Test by sending multiple POST requests to the verification endpoint (typically /api/verify or similar) for the same user within a short timeframe. If all requests succeed without delay, the system is vulnerable.Check Version:
Check Thorium version in web interface or configuration files, or run: thorium --versionVerify Fix Applied:
After patching, attempt the same test - subsequent requests should be rate limited (HTTP 429 or delayed responses). Check that configuration shows rate limiting enabled with 10-minute default.📡 Detection & Monitoring
Log Indicators:
- Multiple verification email requests from same IP in short timeframe
- Unusual spike in email sending from Thorium
- HTTP 429 responses after patching
Network Indicators:
- High volume of POST requests to verification endpoint
- Pattern of repeated requests to same verification endpoint
SIEM Query:
source="thorium" AND (uri_path="/api/verify" OR uri_path="/verify") | stats count by src_ip, user_agent | where count > 10🔗 References
- https://github.com/cisagov/thorium/commit/7c94a0b9bc2dc55e0c307360452f348bac06820c#diff-bf9baa11b76cd169902a976bd17a5a6ee95a4098b2d3d150ba7d8f85b7e21dc9R281-R334
- https://github.com/cisagov/thorium/releases/tag/1.1.1
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-259-01.json
- https://www.cve.org/CVERecord?id=CVE-2025-35432
