PT-2025-10614 · Misskey · Misskey

Eternal-Flame-Ad

Published

2025-03-10

Updated

2025-03-10

CVE-2025-25306

CVSS v3.1

9.3

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

Name of the Vulnerable Software and Affected Versions Misskey versions prior to 2025.2.1

Description The issue concerns the validation of the relation between the id and url fields of ActivityPub objects. An attacker can forge an object where they claim authority in the url field even if the specific ActivityPub object type requires authority in the id field.

Recommendations For versions prior to 2025.2.1, update to version 2025.2.1 to resolve the issue. As a temporary workaround, consider restricting the use of ActivityPub objects that require authority in the id field until the patch is applied. Avoid using the url field in ActivityPub objects to claim authority if the object type requires authority in the id field.

Exploit

Fix

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1025CWE-346CWE-441

Related Identifiers

CVE-2025-25306

GHSA-6W2C-VF6F-XF26

Affected Products

Misskey

PT-2025-10614 · Misskey · Misskey

CVE-2025-25306

Weakness Enumeration

Related Identifiers

Affected Products

References · 10