Rectcoordsystem

**Name of the Vulnerable Software and Affected Versions** Misskey versions prior to 2024.11.0-alpha.3 **Description** Misskey is an open source, federated social media platform. Some APIs using `HttpRequestService` do not properly check the target host. This issue allows an attacker to send POST or GET requests to the internal server, which may result in a Server-Side Request Forgery (SSRF) attack. It enables an attacker to send POST or GET requests (with some controllable URL parameters) to private IPs, allowing further attacks on internal servers. **Recommendations** For versions prior to 2024.11.0-alpha.3, upgrade to version 2024.11.0-alpha.3 or later to address the issue. As a temporary workaround, consider restricting access to APIs that utilize `HttpRequestService` until the upgrade is applied. Avoid using controllable URL parameters in affected API endpoints until the issue is resolved. At the moment, there are no known workarounds for this vulnerability other than upgrading to the fixed version.