CVE-2025-25306

Summary

Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the id and url fields of ActivityPub objects. An attacker can forge an object where they claim authority in the url field even if the specific ActivityPub object type require authority in the id field. Version 2025.2.1 addresses the issue.

Affected Software

VendorProductVersion RangeStatus
misskey-devmisskey< 2025.2.1affected

Weaknesses

  • CWE-346: CWE-346: Origin Validation Error
  • CWE-441: CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
  • CWE-1025: CWE-1025: Comparison Using Wrong Factors

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References