CVE-2025-66482

Name of the Vulnerable Software and Affected Versions Misskey versions 2025.9.1 through 2025.11.1 Misskey versions prior to 2025.12.0-alpha.2

Description Misskey is an open source, federated social media platform. Attackers can bypass IP rate limiting by adding a forged X-Forwarded-For header when using an untrusted reverse proxy or no reverse proxy at all. An option, trustProxy, was added in the configuration file starting with version 2025.9.1 to address this, but it had an insecure default value before version 2025.12.0-alpha.2. This meant the system remained vulnerable if the configuration was not set correctly. The issue is resolved in version 2025.12.0-alpha.2 by changing the default value of trustProxy to false. The vulnerability affects the handling of the X-Forwarded-For header.

Recommendations Misskey versions 2025.9.1 through 2025.11.1: Set trustProxy: false in the configuration file. Misskey versions prior to 2025.12.0-alpha.2: Set trustProxy: false in the configuration file.