SB2026042870 - Multiple vulnerabilities in Misskey

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Missing Authorization (CVE-ID: CVE-2025-66402)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to missing authorization in export data for favorites or clips when exporting previously added post URLs. A remote user can add private post URLs to favorites or clips and export the data to disclose sensitive information.

If private posts are pinned, their identifiers may be obtainable from the user page on the original server.

2) Insecure Default Initialization of Resource (CVE-ID: CVE-2025-66482)

The vulnerability allows a remote attacker to bypass login rate limiting and brute force accounts.

The vulnerability exists due to initialization of a resource with an insecure default in the SigninApiService login rate limiting logic when handling login requests with a forged X-Forwarded-For header. A remote attacker can send crafted authentication requests with a spoofed X-Forwarded-For header to bypass login rate limiting and brute force accounts.

The issue is exposed when the instance is using an untrusted reverse proxy or no reverse proxy.

Remediation

Install update from vendor's website.

References

• https://github.com/misskey-dev/misskey/security/advisories/GHSA-496g-mmpw-j9x3
• https://github.com/misskey-dev/misskey/security/advisories/GHSA-wwrj-3hvj-prpm
• https://github.com/advisories/GHSA-wwrj-3hvj-prpm