Eternal-Flame-Ad

**Name of the Vulnerable Software and Affected Versions** Misskey versions prior to 2025.2.1 **Description** The issue concerns the validation of the relation between the `id` and `url` fields of ActivityPub objects. An attacker can forge an object where they claim authority in the `url` field even if the specific ActivityPub object type requires authority in the `id` field. **Recommendations** For versions prior to 2025.2.1, update to version 2025.2.1 to resolve the issue. As a temporary workaround, consider restricting the use of ActivityPub objects that require authority in the `id` field until the patch is applied. Avoid using the `url` field in ActivityPub objects to claim authority if the object type requires authority in the `id` field.

**Name of the Vulnerable Software and Affected Versions** Misskey versions 2024.10.1 or earlier **Description** Misskey is an open source, federated social media platform. In affected versions, the FileServerService (media proxy) did not detect proxy loops, allowing remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note. The `FileServerService.prototype.proxyHandler` did not check if incoming requests were coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and ending the request with a malicious redirect back to another nested proxy request, leading to unbounded recursion until the original request times out. **Recommendations** For Misskey versions 2024.10.1 or earlier, upgrade to version 2024.11.0-alpha.3 or later. As a temporary workaround for users unable to upgrade, configure the reverse proxy to block requests to the proxy with an empty `User-Agent` header or one containing `Misskey/`. Restrict access to the `FileServerService.prototype.proxyHandler` function to minimize the risk of exploitation.