CVE-2025-25306

Critical CVSS: 9.3

Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the `id` and `url` fields of ActivityPub objects. An attacker can forge an object where they claim authority in the `url` field even if the specific ActivityPub object type require authority in the `id` field. Version 2025.2.1 addresses the issue.

Vendor

Misskey

Product

Misskey

CWE

CWE-346

Yayın Tarihi

2025-03-10 19:15:40

Güncelleme

2025-11-26 16:24:21

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-346 Misskey CRITICAL Misskey 2025

Referanslar

https://github.com/misskey-dev/misskey/releases/tag/2025.2.1 https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26

Benzer Kayıtlar

Critical

CVE-2026-28431

Misskey is an open source, federated social media platform. All Misskey servers running versions 8.45.0 and later, but p…

High

CVE-2026-28432

Misskey is an open source, federated social media platform. All Misskey servers prior to 2026.3.1 contain a vulnerabilit…

Low

CVE-2026-28433

Misskey is an open source, federated social media platform. All Misskey servers running versions 10.93.0 and later, but…

High

CVE-2025-66402

Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025…

Medium

CVE-2025-66482

Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a…

High

CVE-2025-46340

Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, du…