Mastodon Missing Rate Limit Vulnerability on Email Verification Endpoint

A vulnerability exists in Mastodon versions 4.2.0 prior to 4.2.16 and 4.3.4, where the email verification endpoint '/auth/setup' lacks proper rate limits. This absence allows an attacker to send verification emails to arbitrary addresses by crafting specific requests. The issue arises during the sign-up process, where users can change or re-request email verification without any restrictions on the frequency of these requests.

Impact

Exploitation of this vulnerability can lead to unsolicited emails being sent to random addresses, potentially causing annoyance or disruption. In some cases, this could be used for email verification abuse or to bypass certain email-based controls.

Reproduction

To reproduce this vulnerability, send multiple requests to the '/auth/setup' endpoint without any rate limit. This can be done using a tool like Postman or through a script that automates the process. Monitor the recipient email addresses for the verification emails. The absence of rate limits allows for rapid-fire requests, flooding the inboxes of the targeted email addresses.

Remediation

Users can update to Mastodon versions 4.2.16 or 4.3.4, where this vulnerability has been fixed.