CVE-2025-35432 is a medium-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the CISA Thorium product, specifically version 1.0.0. The vulnerability arises because the application does not implement rate limiting on requests to send account verification email messages. This flaw allows a remote, unauthenticated attacker to trigger an unlimited number of verification emails to be sent to a user account that is pending verification. The absence of rate limiting means that an attacker can abuse this functionality to cause resource exhaustion on the email sending infrastructure or the application itself, potentially leading to denial of service conditions or email service degradation. The vulnerability does not impact confidentiality or integrity directly but affects availability by enabling resource consumption attacks. The issue was addressed in version 1.1.1 by introducing a default rate limit of one verification email every 10 minutes per user, effectively mitigating the risk of abuse. The CVSS v3.1 score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to availability. No known exploits are currently reported in the wild.

For European organizations using CISA Thorium version 1.0.0, this vulnerability could lead to service disruptions due to resource exhaustion caused by excessive email verification requests. This could degrade user experience, delay legitimate account verification processes, and potentially overload email infrastructure, increasing operational costs and impacting service availability. While the vulnerability does not expose sensitive data or allow unauthorized access, the denial of service aspect could be exploited by attackers to disrupt onboarding or user verification workflows, which are critical for identity and access management. Organizations relying on Thorium for user verification should be aware that attackers do not need authentication or user interaction to exploit this flaw, increasing the risk of automated abuse. The impact is particularly relevant for sectors with high user registration volumes or strict availability requirements, such as financial services, government portals, and critical infrastructure operators in Europe.

European organizations should immediately upgrade CISA Thorium to version 1.1.1 or later, where the rate limiting fix is implemented by default. If upgrading is not immediately feasible, organizations should implement compensating controls such as external rate limiting on the email verification endpoint via web application firewalls or API gateways. Monitoring and alerting on unusual spikes in verification email requests can help detect exploitation attempts early. Additionally, organizations should review their email infrastructure capacity and implement throttling or queuing mechanisms to prevent service degradation. Incorporating CAPTCHA or other bot mitigation techniques on the verification request interface can further reduce automated abuse. Finally, organizations should audit user accounts pending verification and consider temporary manual verification processes if abuse is detected.