Unrated severityNVD Advisory· Published May 5, 2025· Updated May 5, 2025

Misskey Directory Traversal Vulnerability in AiScript via `Mk:api`

CVE-2025-46559

Description

Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in Mk:api allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. The missing validation allows malicious AiScript code to prefix a URL with ../ to step out of the /api directory, thereby being able to make requests to other endpoints, such as /files, /url, and /proxy. Version 2025.4.1 fixes the issue.

Affected products

Misskey Dev/Misskeyv5
Range: >= 12.31.0, < 2025.4.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/misskey-dev/misskey/commit/583df3ec63e25a1fd34def0dac13405396b8b663mitrex_refsource_MISC
github.com/misskey-dev/misskey/security/advisories/GHSA-gmq6-738q-vjp2mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000