CVE-2025-35436 – CVE-2025-35436 is an uncaught exception vulnera... (How to Fix)

Q: What is the severity of CVE-2025-35436?

CVE-2025-35436 has a CVSS score of 5.3 (MEDIUM). CVE-2025-35436 is an uncaught exception vulnerability in CISA Thorium's account verification email handling. An unauthenticated remote attacker can cause a denial of service by triggering a crash via specially crafted email inputs. This affects all Thorium deployments with account verification enabled.

📋 TL;DR

CVE-2025-35436 is an uncaught exception vulnerability in CISA Thorium's account verification email handling. An unauthenticated remote attacker can cause a denial of service by triggering a crash via specially crafted email inputs. This affects all Thorium deployments with account verification enabled.

💻 Affected Systems

Products:

CISA Thorium

Versions: All versions prior to commit 6a65a27

Operating Systems: All platforms running Thorium

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments with account verification email functionality enabled

📦 What is this software?

Thorium by Cisa

View all CVEs affecting Thorium →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage through repeated crashes, potentially disrupting authentication workflows and user onboarding.

🟠

Likely Case

Intermittent service disruptions affecting account verification functionality, requiring manual restart of affected services.

🟢

If Mitigated

Minimal impact with proper error handling and monitoring in place to detect and restart crashed services.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires sending specially crafted email addresses or responses to trigger the unwrap() panic

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 6a65a27 or later

Vendor Advisory: https://github.com/mjcarson/thorium/commit/6a65a2711fb2387e8c3eacebc774053741bf5aeb

Restart Required: Yes

Instructions:

1. Pull latest Thorium code from repository. 2. Apply commit 6a65a27. 3. Rebuild and redeploy Thorium. 4. Restart Thorium services.

🔧 Temporary Workarounds

Disable account verification emails

all

Temporarily disable email-based account verification to prevent exploitation

Configure Thorium to disable email verification in settings

Implement input validation

all

Add email address validation before processing verification requests

Add email format validation in account verification handler

🧯 If You Can't Patch

Implement rate limiting on account verification endpoints
Deploy monitoring to detect and automatically restart crashed Thorium processes

🔍 How to Verify

Check if Vulnerable:

Check Thorium version/git commit hash against vulnerable range (pre-6a65a27)

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify commit 6a65a27 is applied and test account verification with malformed email inputs

📡 Detection & Monitoring

Log Indicators:

Panic logs containing 'unwrap()' errors
Service crash/restart events in Thorium logs
Unusual volume of account verification requests

Network Indicators:

Multiple failed account verification attempts from single source
Unusual patterns in email parameter values

SIEM Query:

source="thorium.logs" AND ("panic" OR "unwrap" OR "account verification failed")

📊 Metadata

CVE ID: CVE-2025-35436

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-248

EPSS Score: 0.04% exploit probability (13.1th percentile)

Published: September 17, 2025

Last Updated: December 19, 2025

🔗 References

https://github.com/mjcarson/thorium/commit/6a65a2711fb2387e8c3eacebc774053741bf5aeb Patch
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-259-01.json Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-35436 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-35436, you might also want to check these: