Warriordog

**Name of the Vulnerable Software and Affected Versions** Misskey versions 12.0.0 through 2025.4.0 **Description** The issue arises from an oversight in validation performed in `UrlPreviewService` and `MkUrlPreview`, allowing an attacker to inject arbitrary CSS into the `MkUrlPreview` component. This can lead to de-anonymization of users and further attacks in the client. The `UrlPreviewService.wrap` function falls back to returning the original URL if it uses a protocol other than `http` or `https`. Additionally, `MkUrlPreview` does not escape CSS when applying a `background-image` property, enabling an attacker to craft a URL that applies arbitrary styles to the preview element. An attacker can theoretically craft a CSS injection payload to create a fake error message, deceiving the user into giving away their credentials or similar sensitive information. **Recommendations** For Misskey versions 12.0.0 through 2025.4.0, update to version 2025.4.1, which contains a patch for the issue. As a temporary workaround, consider disabling the `UrlPreviewService` and `MkUrlPreview` components until the patch is applied. Restrict access to the `MkUrlPreview` component to minimize the risk of exploitation. Avoid using the `background-image` property in the affected `MkUrlPreview` component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** @misskey-dev/summaly versions 3.0.1 through 5.2.0 **Description** A logic error in the main `summaly` function causes the `allowRedirects` option to never be passed to any plugins, and as a result, isn't enforced. This issue allows Misskey to follow redirects, despite explicitly requesting not to. The problem can be demonstrated by publishing a post containing a link to any URL that redirects on Misskey, resulting in a preview being generated for the target of the redirect, even when `allowRedirects: false` is specified. **Recommendations** For versions 3.0.1 through 5.2.0, update to version 5.2.1, which contains a patch for the issue. As a temporary workaround, consider disabling the `summaly` function until the patch is applied. Restrict access to the `summaly` function to minimize the risk of exploitation. Avoid using the `allowRedirects` option in the affected `summaly` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Misskey versions 12.31.0 through 2025.4.0 **Description** The issue is related to missing validation in `Mk:api`, which allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. This is achieved by prefixing a URL with `../` to step out of the `/api` directory, thereby being able to make requests to other endpoints, such as `/files`, `/url`, and `/proxy`. **Recommendations** For versions 12.31.0 through 2025.4.0, update to version 2025.4.1 to resolve the issue. As a temporary workaround, consider restricting access to the `Mk:api` to minimize the risk of exploitation. Avoid using the `../` prefix in URLs for the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Misskey versions prior to 2024.11.0-alpha.3 **Description** The issue concerns missing validation in `ApRequestService.signedGet`, allowing an attacker to create fake user profiles that appear to be from a different instance. These profiles can be used to impersonate existing users, giving attackers full control to post, renote, or interact like a real account. **Recommendations** For versions prior to 2024.11.0-alpha.3, upgrade to version 2024.11.0-alpha.3 or later to resolve the issue. As a temporary workaround, consider restricting interactions with unverified or suspicious user profiles until the upgrade can be applied.

**Name of the Vulnerable Software and Affected Versions** Misskey versions prior to 2024.11.0-alpha.3 **Description** Misskey is an open source, federated social media platform. In affected versions, missing validation in `NoteCreateService.insertNote`, `ApPersonService.createPerson`, and `ApPersonService.updatePerson` allows an attacker to control the target of any "origin" links, such as the "view on remote instance" banner. Any HTTPS URL can be set, even if it belongs to a different domain than the note or user. Vulnerable Misskey instances will use the unverified URL for several clickable links, allowing an attacker to conduct phishing or other attacks against remote users. **Recommendations** For versions prior to 2024.11.0-alpha.3, upgrade to version 2024.11.0-alpha.3 or later to resolve the issue. As a temporary workaround, consider disabling the `NoteCreateService.insertNote`, `ApPersonService.createPerson`, and `ApPersonService.updatePerson` functions until a patch is available. Restrict access to unverified URLs to minimize the risk of exploitation. Avoid using unverified URLs in clickable links until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Misskey versions prior to 2024.11.0-alpha.3 **Description** Misskey is an open source, federated social media platform. In affected versions, missing validation in `ApRequestService.signedGet` and `HttpRequestService.getActivityJson` allows an attacker to create fake user profiles and forged notes. The spoofed users will appear to be from a different instance than the one where they actually exist, and the forged notes will appear to be posted by a different user. Vulnerable Misskey instances will accept the spoofed objects as valid, allowing an attacker to impersonate other users and instances. The attacker retains full control of the spoofed user / note and can interact like a real account. **Recommendations** To resolve the issue, update to version 2024.11.0-alpha.3 or later. As a temporary workaround, consider restricting interactions with unverified user profiles and notes until the update is applied. There are no known workarounds for this vulnerability, so upgrading to the fixed version is the recommended course of action.

**Name of the Vulnerable Software and Affected Versions** Misskey versions prior to 2024.11.0-alpha.3 **Description** Misskey is an open source, federated social media platform. In affected versions, missing validation in `ApInboxService.update` allows an attacker to modify the result of polls belonging to another user. No authentication is required, except for a valid signature from any actor on any remote instance. Vulnerable Misskey instances will accept spoofed updates for remote polls. Local polls are unaffected. **Recommendations** For versions prior to 2024.11.0-alpha.3, update to version 2024.11.0-alpha.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `ApInboxService.update` function until a patch is available. Avoid accepting updates for remote polls from untrusted sources until the issue is resolved.