CVE-2022-35925

Public Exploit
Missing rate limit in Authentication in bookwyrm

Description

BookWyrm is a social network for tracking reading. Versions prior to 0.4.5 were found to lack rate limiting on authentication views which allows brute-force attacks. This issue has been patched in version 0.4.5. Admins with existing instances will need to update their `nginx.conf` file that was created when the instance was set up. Users are advised advised to upgrade. Users unable to upgrade may update their nginx.conf files with the changes manually.

Categories

5.3
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.06%
Third-Party Advisory github.com Third-Party Advisory huntr.dev Third-Party Advisory github.com
Affected: bookwyrm-social bookwyrm
Published at:
Updated at:

References

Link Tags
https://github.com/bookwyrm-social/bookwyrm/security/advisories/GHSA-jvp3-mqv8-5rjw third party advisory
https://huntr.dev/bounties/ebee593d-3fd0-4985-bf5e-7e7927e08bf6/ third party advisory exploit
https://www.github.com/bookwyrm-social/bookwyrm/commit/7bbe42fb30a79a26115524d18b697d895563c92f third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2022-35925?
CVE-2022-35925 has been scored as a medium severity vulnerability.
How to fix CVE-2022-35925?
To fix CVE-2022-35925, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-35925 being actively exploited in the wild?
It is possible that CVE-2022-35925 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-35925?
CVE-2022-35925 affects bookwyrm-social bookwyrm.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.