CVE-2024-49363

Name of the Vulnerable Software and Affected Versions Misskey versions 2024.10.1 or earlier

Description Misskey is an open source, federated social media platform. In affected versions, the FileServerService (media proxy) did not detect proxy loops, allowing remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note. The FileServerService.prototype.proxyHandler did not check if incoming requests were coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and ending the request with a malicious redirect back to another nested proxy request, leading to unbounded recursion until the original request times out.

Recommendations For Misskey versions 2024.10.1 or earlier, upgrade to version 2024.11.0-alpha.3 or later. As a temporary workaround for users unable to upgrade, configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. Restrict access to the FileServerService.prototype.proxyHandler function to minimize the risk of exploitation.