Skip to main content

Misskey CVE-2024-25636

HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-02-19 security-advisories@github.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Feb 19, 2024 - 20:15 nvd
HIGH 8.8

DescriptionNVD

Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a Content-Type header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an Accept header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue.

AnalysisAI

Misskey is an open source, decentralized social media platform with ActivityPub support. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Technical ContextAI

This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a Content-Type header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an Accept header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue. Affected products include: Misskey. Version information: version 2024.2.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.

CVE-2024-32983 HIGH POC
7.5 Jun 03

Misskey is an open source, decentralized microblogging platform. Rated high severity (CVSS 7.5), this vulnerability is r

CVE-2019-1020010 MEDIUM POC
6.1 Jul 29

Misskey before 10.102.4 allows hijacking a user's token. Rated medium severity (CVSS 6.1), this vulnerability is remotel

CVE-2023-24812 CRITICAL
9.8 Feb 22

Misskey is an open source, decentralized social media platform. Rated critical severity (CVSS 9.8), this vulnerability i

CVE-2023-52139 CRITICAL
9.6 Dec 29

Misskey is an open source, decentralized social media platform. Rated critical severity (CVSS 9.6), this vulnerability i

CVE-2025-46559 MEDIUM POC
5.4 May 05

Misskey is an open source, federated social media platform. Rated medium severity (CVSS 5.4), this vulnerability is remo

CVE-2024-52591 HIGH
8.8 Dec 18

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.8), this vulnerability is remote

CVE-2024-52590 HIGH
8.8 Dec 18

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.8), this vulnerability is remote

CVE-2025-24897 HIGH
8.2 Feb 11

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.2), this vulnerability is remote

CVE-2025-24896 HIGH
8.1 Feb 11

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.1), this vulnerability is remote

CVE-2026-28431 HIGH
7.5 Mar 10

Misskey is an open source, federated social media platform.

CVE-2026-28432 HIGH
7.5 Mar 10

federated social media platform. All Misskey server versions up to 2026.3.1 is affected by improper verification of cryp

CVE-2023-49079 HIGH
7.5 Nov 29

Misskey is an open source, decentralized social media platform. Rated high severity (CVSS 7.5), this vulnerability is re

Share

CVE-2024-25636 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy