CVE-2025-54879
📋 TL;DR
This vulnerability allows attackers to bypass email confirmation rate limits in Mastodon by rotating IP addresses, enabling them to send unlimited confirmation emails to any email address. This can lead to denial-of-service attacks that overwhelm mail queues and facilitate user harassment through confirmation email spam. All Mastodon instances running affected versions are vulnerable.
💻 Affected Systems
- Mastodon
📦 What is this software?
Mastodon by Joinmastodon
Mastodon by Joinmastodon
Mastodon by Joinmastodon
⚠️ Risk & Real-World Impact
Worst Case
Mail servers become overwhelmed with confirmation emails, causing service disruption for legitimate users and enabling targeted harassment campaigns against specific email addresses.
Likely Case
Attackers send spam confirmation emails to targeted users, causing inbox flooding and potential harassment, while mail queues experience increased load.
If Mitigated
With proper monitoring and rate limiting at network level, impact is limited to some spam emails reaching users.
🎯 Exploit Status
Exploitation requires rotating IP addresses to bypass the weak IP-based throttle of 25 requests per 5 minutes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.24, 4.3.11, or 4.4.3
Vendor Advisory: https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg
Restart Required: No
Instructions:
1. Update Mastodon to version 4.2.24, 4.3.11, or 4.4.3 depending on your current version branch. 2. Run bundle install to update dependencies. 3. Run rails db:migrate to apply database migrations. 4. Restart Mastodon services.
🔧 Temporary Workarounds
Implement external rate limiting
allConfigure web application firewall or reverse proxy to enforce stricter rate limits on /auth/confirmation endpoint
Disable email confirmation temporarily
allTemporarily disable email confirmation feature if not critical for your instance
🧯 If You Can't Patch
- Monitor mail server queues and implement alerts for unusual confirmation email volumes
- Implement network-level rate limiting at firewall or load balancer for confirmation endpoint
🔍 How to Verify
Check if Vulnerable:
Check Mastodon version with: cat /opt/mastodon/.env.production | grep VERSION or check Rails.env.versionCheck Version:
cd /opt/mastodon && bundle exec rails runner 'puts Rails.env.version'Verify Fix Applied:
Verify version is 4.2.24, 4.3.11, or 4.4.3 or higher, and test confirmation email rate limiting📡 Detection & Monitoring
Log Indicators:
- Unusual volume of POST requests to /auth/confirmation endpoint
- Multiple confirmation emails sent to same email address from different IPs
Network Indicators:
- High volume of requests to confirmation endpoint from rotating IP addresses
SIEM Query:
source="mastodon.log" AND "POST /auth/confirmation" | stats count by src_ip, email