PT-2024-25031 · Misskey · Misskey

Tesaguri

Published

2024-06-03

Updated

2025-11-25

CVE-2024-32983

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Name of the Vulnerable Software and Affected Versions Misskey versions prior to 2024.5.0

Description Misskey is an open source, decentralized microblogging platform. The platform does not perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them. This allows threat actors to spoof the contents of signed activities and impersonate the authors of the original activities.

Recommendations For versions prior to 2024.5.0, update to version 2024.5.0 to fix the vulnerability. As a temporary workaround, consider restricting the processing of incoming signed ActivityPub activity objects until the update is applied.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2024-32983

GHSA-2VXV-PV3M-3WVJ

Affected Products

Misskey

PT-2024-25031 · Misskey · Misskey

CVE-2024-32983

Weakness Enumeration

Related Identifiers

Affected Products

References · 14