CVE-2024-52590

Name of the Vulnerable Software and Affected Versions Misskey versions prior to 2024.11.0-alpha.3

Description The issue concerns missing validation in ApRequestService.signedGet, allowing an attacker to create fake user profiles that appear to be from a different instance. These profiles can be used to impersonate existing users, giving attackers full control to post, renote, or interact like a real account.

Recommendations For versions prior to 2024.11.0-alpha.3, upgrade to version 2024.11.0-alpha.3 or later to resolve the issue. As a temporary workaround, consider restricting interactions with unverified or suspicious user profiles until the upgrade can be applied.