Main Vulnerability Database Vulnerabilities #VU128328

Insufficient verification of data authenticity in Misskey - CVE-2024-25636

Published: February 17, 2024 / Updated: April 28, 2026

Vulnerability identifier: #VU128328

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-25636

CWE-ID: CWE-345

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Misskey

Software vendor:
Misskey Development Division

Description

The vulnerability allows a remote user to impersonate accounts and take over remote accounts.

The vulnerability exists due to improper content type verification in ApResolverService and ActivityPub object handling when fetching remote Activity Streams objects. A remote user can upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it to impersonate accounts and take over remote accounts.

Exploitation requires a remote server that allows the user to register an account, accepts arbitrary user-uploaded documents on the same domain as legitimate Activity Streams actors, and serves those documents in response to requests for Activity Streams media types.

Remediation

Install security update from vendor's website.

External links

https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32

Insufficient verification of data authenticity in Misskey - CVE-2024-25636

Description

Remediation

External links

Please verify you're human