CVE-2024-52579

Name of the Vulnerable Software and Affected Versions Misskey versions prior to 2024.11.0-alpha.3

Description Misskey is an open source, federated social media platform. Some APIs using HttpRequestService do not properly check the target host. This issue allows an attacker to send POST or GET requests to the internal server, which may result in a Server-Side Request Forgery (SSRF) attack. It enables an attacker to send POST or GET requests (with some controllable URL parameters) to private IPs, allowing further attacks on internal servers.

Recommendations For versions prior to 2024.11.0-alpha.3, upgrade to version 2024.11.0-alpha.3 or later to address the issue. As a temporary workaround, consider restricting access to APIs that utilize HttpRequestService until the upgrade is applied. Avoid using controllable URL parameters in affected API endpoints until the issue is resolved. At the moment, there are no known workarounds for this vulnerability other than upgrading to the fixed version.