CVE-2025-35432 is a vulnerability identified in the CISA Thorium product, specifically version 1.0.0. The issue is classified under CWE-400, which pertains to uncontrolled resource consumption. The vulnerability arises because the Thorium application does not implement rate limiting on requests to send account verification email messages. This lack of restriction allows a remote unauthenticated attacker to repeatedly trigger the sending of verification emails to a user who is pending verification, potentially leading to resource exhaustion. Such an attack could overwhelm the email infrastructure, degrade service performance, or cause denial of service conditions either on the application itself or on the email delivery system. The vulnerability does not impact confidentiality or integrity directly but affects availability by enabling an attacker to consume resources excessively. The vendor addressed this issue in version 1.1.1 by introducing a default rate limit that restricts sending verification emails to once every 10 minutes per user, mitigating the risk of abuse. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with attack vector as network, no privileges required, no user interaction needed, and an impact limited to availability. No known exploits are currently reported in the wild, but the vulnerability's nature makes it a potential vector for denial of service or spam-based attacks targeting user verification workflows.

For European organizations using CISA Thorium version 1.0.0, this vulnerability poses a risk primarily to service availability and operational stability. Attackers could exploit this flaw to flood users with verification emails, potentially causing email system overloads, increased operational costs, and degraded user experience. This could lead to temporary denial of service conditions for legitimate users attempting to verify accounts, impacting onboarding processes and customer trust. Additionally, excessive email traffic could trigger spam filters or blacklisting of the organization's email domains, further disrupting communications. Organizations in sectors with high user verification demands, such as financial services, healthcare, or government agencies, may experience amplified operational impacts. While the vulnerability does not directly compromise sensitive data, the availability disruption could indirectly affect business continuity and compliance with service-level agreements. Given the unauthenticated nature of the exploit, attackers do not need credentials or user interaction, increasing the ease of exploitation and potential scale of impact.

European organizations should prioritize upgrading CISA Thorium to version 1.1.1 or later, where the vulnerability is fixed by implementing a default rate limit of 10 minutes between verification email sends per user. Until the upgrade is applied, organizations can implement additional mitigations such as deploying web application firewalls (WAFs) to detect and throttle repeated verification email requests from the same IP addresses or user accounts. Monitoring email sending patterns and setting alerts for unusual spikes in verification email traffic can help identify exploitation attempts early. Organizations should also review and harden their email infrastructure to handle potential surges and prevent blacklisting. Implementing CAPTCHA or other challenge-response mechanisms on the verification request endpoint can reduce automated abuse. Finally, organizations should educate their users about potential phishing or spam risks arising from such attacks and maintain incident response plans to address availability disruptions promptly.