SB2025033121 - Origin validation error in Misskey
Published: March 31, 2025
Security Bulletin ID
SB2025033121
CSH Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Origin validation error (CVE-ID: CVE-2025-25306)
CWE-ID: CWE-346 - Origin Validation Error
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to incomplete patch on CVE-2024-52591 (SB2025033119). A remote attacker can forge an object where they claim authority in the url field even if the specific ActivityPub object type require authority in the id field.
Remediation
Install update from vendor's website.