SB2025033119 - Multiple vulnerabilities in Misskey
Published: March 31, 2025 Updated: April 28, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2024-52591)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied input in ApRequestService.signedGet and HttpRequestService.getActivityJson. A remote attacker can create fake user profiles and forged notes.
2) Input validation error (CVE-ID: CVE-2024-52593)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to conduct phishing attacks.
The vulnerability exists due to improper input validation in NoteCreateService.insertNote, ApPersonService.createPerson, and ApPersonService.updatePerson when processing origin links. A remote attacker can set a crafted HTTPS URL as the target of origin links to conduct phishing attacks.
User interaction is required to click the spoofed link.
3) Input validation error (CVE-ID: CVE-2024-52590)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to impersonate users on another instance.
The vulnerability exists due to improper input validation in ApRequestService.signedGet when validating signed profile requests. A remote attacker can create a spoofed user profile to impersonate users on another instance.
The spoofed profile may appear to originate from a different instance than the one where it actually exists, and the attacker has full control over that spoofed account.
4) Improper access control (CVE-ID: CVE-2024-52592)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to modify poll results belonging to another user.
The vulnerability exists due to improper access control in ApInboxService.update when handling update messages for remote polls. A remote attacker can send a spoofed update with a valid signature from any actor on any remote instance to modify poll results belonging to another user.
Only remote polls are affected; local polls are unaffected.
5) Uncontrolled Recursion (CVE-ID: CVE-2024-49363)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled recursion in FileServerService.prototype.proxyHandler when processing nested proxy requests with a malicious redirect loop. A remote attacker can send a maliciously crafted note to cause a denial of service.
Instances with an external media proxy configured are also affected.
6) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-52579)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to send requests to internal servers.
The vulnerability exists due to insufficient restriction of request destinations in HttpRequestService when handling API requests that fetch user-supplied URLs. A remote user can supply a crafted URL to send requests to internal servers.
The issue affects some APIs and allows GET or POST requests with some controllable URL parameters to private IP addresses.
Remediation
Install update from vendor's website.
References
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-m2gq-69fp-6hv4
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj
- https://github.com/advisories/GHSA-675w-hf2m-qwmj
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-7vgr-p3vc-p4h2
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-5h8r-gq97-xv69
- https://github.com/advisories/GHSA-5h8r-gq97-xv69
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v236
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-5q3h-wpfw-hjjw