CVE-2022-35925 MEDIUM

CVE-2022-35925: Missing rate limit in Authentication in bookwyrm

Vendor Bookwyrm-Social
Product bookwyrm
Weakness CWE-287 · Improper authentication
Published August 2, 2022
Last update April 22, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

BookWyrm is a social network for tracking reading. Versions prior to 0.4.5 were found to lack rate limiting on authentication views which allows brute-force attacks. This issue has been patched in version 0.4.5. Admins with existing instances will need to update their `nginx.conf` file that was created when the instance was set up. Users are advised advised to upgrade. Users unable to upgrade may update their nginx.conf files with the changes manually.

Key dates

02Disclosure timeline

August 2, 2022 CVE published
April 22, 2025 Record updated