Mastodon Rate-Limiting Misconfiguration Vulnerability in Email Confirmation Throttle

A denial-of-service vulnerability has been identified in Mastodon versions 3.1.5 prior to 4.2.24, 4.3.0 prior to 4.3.11, and 4.4.0 prior to 4.4.3. The issue arises from a critical configuration error in the application's rate-limiting system, specifically within the email confirmation throttle. Instead of properly managing the confirmation email requests, the throttle incorrectly references the password reset path. This misconfiguration effectively disables the per-email limits for confirmation requests, allowing attackers to exploit the system. By rotating IP addresses, they can bypass the weak IP-based throttle and send an unlimited number of confirmation emails to any address. This vulnerability can overwhelm mail queues and facilitate user harassment through spam.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, where the outbound mail queue is flooded with confirmation emails, causing delays and disruptions. Additionally, it allows for targeted harassment of users by spamming their inboxes with unwanted confirmation messages.

Remediation

Users can upgrade to Mastodon versions 4.4.3, 4.3.11, or 4.2.24 to address this vulnerability.