CVE-2025-61775 is a vulnerability identified in the Whimsies-YAT Vickey microblogging platform, which is based on the Misskey framework. The issue arises from insufficient session expiration controls on email confirmation links prior to version 2025.10.0. Specifically, the platform allowed unexpired email verification links to be reused multiple times, enabling an attacker or any user with access to the link to trigger repeated sending of confirmation emails to a verified email address. This flaw is categorized under CWE-613 (Insufficient Session Expiration) and CWE-770 (Allocation of Resources Without Limits or Throttling), indicating weaknesses in session management and resource control. The vulnerability does not expose user credentials or personal data but can cause a denial-of-service-like effect on the email system by flooding a verified email inbox with repeated confirmation messages. The vulnerability requires no authentication or user interaction, making it remotely exploitable by anyone who can obtain or intercept the confirmation link. The vendor addressed the issue in version 2025.10.0 by enhancing the validation logic to ensure that once a verification link is used, it cannot be reused to send additional emails. The CVSS 4.0 base score is 6.9, reflecting a medium severity level, with attack vector as network, low attack complexity, no privileges or user interaction required, and impacts mainly on availability and integrity to a limited extent. No known exploits are reported in the wild as of the publication date.

For European organizations using the Vickey platform, this vulnerability primarily threatens the availability and operational stability of email services linked to user verification processes. Repeated confirmation emails can lead to email inbox flooding, potentially causing legitimate emails to be overlooked or delayed, and may trigger spam filters or blacklisting of the sending domain. This can degrade user experience and trust in the platform. Organizations with large user bases or those relying heavily on email communications for account management may face increased support costs and operational disruptions. While no direct data breach or confidentiality loss occurs, the potential for denial-of-service on email infrastructure and reputational damage is significant. Additionally, attackers could exploit this to conduct email-based annoyance or phishing campaigns by leveraging the repeated email sends. The impact is more pronounced in sectors with stringent email communication requirements, such as finance, government, and critical infrastructure providers in Europe.

European organizations should immediately upgrade Vickey installations to version 2025.10.0 or later to apply the vendor's fix. Until patched, implement monitoring and alerting on email confirmation traffic to detect unusual spikes indicative of exploitation attempts. Rate limiting or throttling mechanisms should be applied at the application or mail server level to restrict the number of confirmation emails sent to a single address within a defined timeframe. Employ email filtering and anti-spam solutions to mitigate the impact of repeated emails on end-users. Review and tighten access controls around email confirmation link generation and distribution to minimize exposure. Additionally, consider implementing multi-factor verification methods that reduce reliance on email confirmation links alone. Regularly audit logs for repeated use of confirmation links and investigate anomalies promptly. Finally, educate users and administrators about the vulnerability and encourage prompt reporting of suspicious email activity.