Insecure Default Initialization of Resource in Misskey - CVE-2025-66482
Published: April 28, 2026
Vulnerability identifier: #VU128340
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-66482
CWE-ID: CWE-1188
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Misskey Development Division
Affected software:
Misskey
Misskey
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass login rate limiting and brute force accounts.
The vulnerability exists due to initialization of a resource with an insecure default in the SigninApiService login rate limiting logic when handling login requests with a forged X-Forwarded-For header. A remote attacker can send crafted authentication requests with a spoofed X-Forwarded-For header to bypass login rate limiting and brute force accounts.
The issue is exposed when the instance is using an untrusted reverse proxy or no reverse proxy.
How to mitigate CVE-2025-66482
Install security update from vendor's website.