CVE-2025-71388 is a high-severity vulnerability in stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1. The issue allows users with only ViewChannel (read) permission on a channel to fetch that channel's webhooks, including their tokens. Using a retrieved token, an attacker can send arbitrary messages to the channel, bypassing channel permissions and impersonating a bot or webhook. The vul [truncated]
A logic error was found in the query messages route of stoatchat (delta) versions before 20250210-1 (0.8.2). This error allows a remote unauthenticated attacker to craft requests that can download the entire message history of a channel in a single request, potentially leading to denial of service through resource exhaustion. The vulnerability has a CVSS score of 8.7 and is classified as HIGH severity.
CVE-2024-58360 is a vulnerability in stoatchat versions before 0.7.8 that allows for unrestricted account creation. This issue arises from the failure to enforce account creation restrictions, including invite-only mode, email verification, captcha, and shield verification. As a result, attackers can create unlimited accounts with unverified email addresses, increasing the risk of denial-of-service attack [truncated]