Origin validation error in Misskey
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2025-25306 |
| CWE-ID | CWE-346 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Misskey Web applications / Modules and components for CMS |
| Vendor | Misskey Development Division |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Origin validation error
EUVDB-ID: #VU106268
Risk: High
CVSSv4.0: 6.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-25306
CWE-ID:
CWE-346 - Origin Validation Error
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to incomplete patch on CVE-2024-52591 (SB2025033119). A remote attacker can forge an object where they claim authority in the url field even if the specific ActivityPub object type require authority in the id field.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMisskey: 2025.1.0 - 2025.2.0
CPE2.3- cpe:2.3:a:misskey_development_division:misskey:2025.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:misskey_development_division:misskey:2025.2.0:*:*:*:*:*:*:*
https://github.com/misskey-dev/misskey/releases/tag/2025.2.1
https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
