Misskey
CVE-2024-25636
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a Content-Type header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an Accept header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue.
AnalysisAI
Misskey is an open source, decentralized social media platform with ActivityPub support. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.
Technical ContextAI
This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a Content-Type header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an Accept header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue. Affected products include: Misskey. Version information: version 2024.2.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.
Misskey is an open source, decentralized microblogging platform. Rated high severity (CVSS 7.5), this vulnerability is r
Misskey before 10.102.4 allows hijacking a user's token. Rated medium severity (CVSS 6.1), this vulnerability is remotel
Misskey is an open source, decentralized social media platform. Rated critical severity (CVSS 9.8), this vulnerability i
Misskey is an open source, decentralized social media platform. Rated critical severity (CVSS 9.6), this vulnerability i
Misskey is an open source, federated social media platform. Rated medium severity (CVSS 5.4), this vulnerability is remo
Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.8), this vulnerability is remote
Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.8), this vulnerability is remote
Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.2), this vulnerability is remote
Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.1), this vulnerability is remote
Misskey is an open source, federated social media platform.
federated social media platform. All Misskey server versions up to 2026.3.1 is affected by improper verification of cryp
Misskey is an open source, decentralized social media platform. Rated high severity (CVSS 7.5), this vulnerability is re
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today