Medium

Denial of Service in CISA Thorium account verification email handling

IdentifiersCVE-2025-35436CWE-248· Uncaught Exception

CVE-2025-35436 is a denial-of-service vulnerability in CISA Thorium. According to the provided content, Thorium uses Rust's .unwrap() when handling errors related to account verification email messages. An unauthenticated remote attacker can trigger a crash by supplying a specially crafted email address or crafted response during the account verification email handling flow. The vulnerable condition appears to stem from improper handling of an error path that can cause a panic when .unwrap() is invoked on an unexpected error or invalid value. The issue was fixed in commit 6a65a27.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to crash the affected Thorium service or component involved in account verification email processing, resulting in denial of service. Based on the provided information, the impact is limited to service availability disruption; no evidence was provided of code execution, privilege escalation, or data exposure.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the vulnerable account verification workflow to untrusted input where feasible. Apply input validation for email address fields and any related response data before they reach the vulnerable handler, and use rate limiting or request throttling on unauthenticated registration/account-verification endpoints to reduce the ease of repeated crash attempts. Operationally, enable service supervision or automatic restart to limit downtime from crashes. These measures are compensating controls and do not replace patching.

Remediation

Patch, then assume compromise.

Update CISA Thorium to a version that includes the fix for CVE-2025-35436, specifically the change introduced in commit 6a65a27, which removes or corrects the unsafe .unwrap()-based error handling in the account verification email message path. Review adjacent error-handling logic in the same workflow to ensure malformed email addresses or unexpected responses are handled gracefully without panicking.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

CISAThoriumapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

the hacker newsNews

Mar 7, 2026

OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues

Unknown

the hacker newsNews

Mar 7, 2026

OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues

Unknown

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-35436

NVD

nvd.nist.gov/vuln/detail/CVE-2025-35436

MITRE CWE · CWE-248

Uncaught Exception

Patch

github.com/mjcarson/thorium/commit/6a65a2711fb2387e8c3eacebc774053741bf5aeb

Third Party Advisory

raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-259-01.json