CVE-2025-25306

CRITICAL
2025-03-10 [email protected]
RCE
9.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 19:50 vuln.today
Patch Released
Nov 26, 2025 - 16:24 nvd
Patch available
CVE Published
Mar 10, 2025 - 19:15 nvd
CRITICAL 9.3

DescriptionNVD

Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the id and url fields of ActivityPub objects. An attacker can forge an object where they claim authority in the url field even if the specific ActivityPub object type require authority in the id field. Version 2025.2.1 addresses the issue.

AnalysisAI

Misskey, a federated social media platform, has an incomplete fix for CVE-2024-52591 that allows ActivityPub object forgery. An attacker can claim authority in the URL field even when the protocol requires authority in the ID field, enabling spoofing of federated content. Fixed in 2025.2.1.

Technical ContextAI

The ActivityPub protocol requires certain object types to have authoritative ID fields matching the originating server. Misskey's patch only validated IDs but not URLs (CWE-346), allowing an attacker to forge objects where the URL claims a different origin than the ID, bypassing origin validation.

Affected ProductsAI

Misskey before 2025.2.1

RemediationAI

Upgrade to Misskey 2025.2.1 or later. Instance administrators should review recent federated content for anomalies.

Share

CVE-2025-25306 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy