Unrated severityNVD Advisory· Published Mar 10, 2025· Updated Mar 12, 2025

Misskey's Incomplete Patch of CVE-2024-52591 Leads to Forgery of Federated Notes

CVE-2025-25306

Description

Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the id and url fields of ActivityPub objects. An attacker can forge an object where they claim authority in the url field even if the specific ActivityPub object type require authority in the id field. Version 2025.2.1 addresses the issue.

Affected products

Misskey Dev/Misskeyv5
Range: < 2025.2.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/misskey-dev/misskey/releases/tag/2025.2.1mitrex_refsource_MISC
github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000