Main Vulnerability Database Vulnerabilities #VU128334

Server-Side Request Forgery (SSRF) in Misskey - CVE-2024-52579

Published: December 18, 2024 / Updated: April 28, 2026

Vulnerability identifier: #VU128334

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-52579

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Misskey Development Division

Affected software:
Misskey

Detailed vulnerability description

The vulnerability allows a remote user to send requests to internal servers.

The vulnerability exists due to insufficient restriction of request destinations in HttpRequestService when handling API requests that fetch user-supplied URLs. A remote user can supply a crafted URL to send requests to internal servers.

The issue affects some APIs and allows GET or POST requests with some controllable URL parameters to private IP addresses.

How to mitigate CVE-2024-52579

Install security update from vendor's website.

Sources

https://github.com/misskey-dev/misskey/security/advisories/GHSA-5q3h-wpfw-hjjw

Server-Side Request Forgery (SSRF) in Misskey - CVE-2024-52579

Detailed vulnerability description

How to mitigate CVE-2024-52579

Sources

Please verify you're human