CVE-2024-25636

Name of the Vulnerable Software and Affected Versions Misskey versions prior to 2024.2.0

Description Misskey is an open source, decentralized social media platform with ActivityPub support. The issue arises when fetching remote Activity Streams objects, as Misskey doesn't check that the response from the remote server has a Content-Type header value of the Activity Streams media type. This allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability enables a threat actor to impersonate and take over an account on a remote server that satisfies specific properties: it allows the threat actor to register an account, accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors, and serves user-uploaded documents in response to requests with an Accept header value of the Activity Streams media type.

Recommendations For versions prior to 2024.2.0, update to version 2024.2.0 or later, which contains a patch for the issue. As a temporary workaround, consider restricting access to remote Activity Streams objects until the update is applied. Additionally, restrict the ability for users to upload arbitrary documents to the same domain as legitimate Activity Streams actors, and ensure that user-uploaded documents are not served in response to requests with an Accept header value of the Activity Streams media type.