Main Vulnerability Database SB2024021713

SB2024021713 - Insufficient verification of data authenticity in Misskey

Published: February 17, 2024 Updated: April 28, 2026

Security Bulletin ID SB2024021713

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Insufficient verification of data authenticity (CVE-ID: CVE-2024-25636)

The vulnerability allows a remote user to impersonate accounts and take over remote accounts.

The vulnerability exists due to improper content type verification in ApResolverService and ActivityPub object handling when fetching remote Activity Streams objects. A remote user can upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it to impersonate accounts and take over remote accounts.

Exploitation requires a remote server that allows the user to register an account, accepts arbitrary user-uploaded documents on the same domain as legitimate Activity Streams actors, and serves those documents in response to requests for Activity Streams media types.

Remediation

Install update from vendor's website.

References

https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32