CVE-2025-46340

Name of the Vulnerable Software and Affected Versions Misskey versions 12.0.0 through 2025.4.0

Description The issue arises from an oversight in validation performed in UrlPreviewService and MkUrlPreview, allowing an attacker to inject arbitrary CSS into the MkUrlPreview component. This can lead to de-anonymization of users and further attacks in the client. The UrlPreviewService.wrap function falls back to returning the original URL if it uses a protocol other than http or https. Additionally, MkUrlPreview does not escape CSS when applying a background-image property, enabling an attacker to craft a URL that applies arbitrary styles to the preview element. An attacker can theoretically craft a CSS injection payload to create a fake error message, deceiving the user into giving away their credentials or similar sensitive information.

Recommendations For Misskey versions 12.0.0 through 2025.4.0, update to version 2025.4.1, which contains a patch for the issue. As a temporary workaround, consider disabling the UrlPreviewService and MkUrlPreview components until the patch is applied. Restrict access to the MkUrlPreview component to minimize the risk of exploitation. Avoid using the background-image property in the affected MkUrlPreview component until the issue is resolved.