CVE-2025-46559

Medium CVSS: 5.4

Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in `Mk:api` allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. The missing validation allows malicious AiScript code to prefix a URL with `../` to step out of the `/api` directory, thereby being able to make requests to other endpoints, such as `/files`, `/url`, and `/proxy`. Version 2025.4.1 fixes the issue.

Vendor

Misskey

Product

Misskey

CWE

CWE-22

Yayın Tarihi

2025-05-05 19:15:56

Güncelleme

2025-09-03 18:29:40

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-22 Misskey MEDIUM Misskey 2025

Referanslar

https://github.com/misskey-dev/misskey/commit/583df3ec63e25a1fd34def0dac13405396b8b663 https://github.com/misskey-dev/misskey/security/advisories/GHSA-gmq6-738q-vjp2

Benzer Kayıtlar

Critical

CVE-2026-28431

Misskey is an open source, federated social media platform. All Misskey servers running versions 8.45.0 and later, but p…

High

CVE-2026-28432

Misskey is an open source, federated social media platform. All Misskey servers prior to 2026.3.1 contain a vulnerabilit…

Low

CVE-2026-28433

Misskey is an open source, federated social media platform. All Misskey servers running versions 10.93.0 and later, but…

High

CVE-2025-66402

Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025…

Medium

CVE-2025-66482

Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a…

High

CVE-2025-46340

Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, du…