Main Vulnerability Database Vulnerabilities #VU106268

Origin validation error in Misskey - CVE-2025-25306

Published: March 31, 2025

Vulnerability identifier: #VU106268

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-25306

CWE-ID: CWE-346

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Misskey Development Division

Affected software:
Misskey

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to incomplete patch on CVE-2024-52591 (SB2025033119). A remote attacker can forge an object where they claim authority in the url field even if the specific ActivityPub object type require authority in the id field.

How to mitigate CVE-2025-25306

Install updates from vendor's website.

Sources

https://github.com/misskey-dev/misskey/releases/tag/2025.2.1
https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26

Origin validation error in Misskey - CVE-2025-25306

Detailed vulnerability description

How to mitigate CVE-2025-25306

Sources

Please verify you're human