CVE-2025-46559

Name of the Vulnerable Software and Affected Versions Misskey versions 12.31.0 through 2025.4.0

Description The issue is related to missing validation in Mk:api, which allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. This is achieved by prefixing a URL with ../ to step out of the /api directory, thereby being able to make requests to other endpoints, such as /files, /url, and /proxy.

Recommendations For versions 12.31.0 through 2025.4.0, update to version 2025.4.1 to resolve the issue. As a temporary workaround, consider restricting access to the Mk:api to minimize the risk of exploitation. Avoid using the ../ prefix in URLs for the affected API endpoints until the issue is resolved.