Return to CVE list

CVE-2025-25306

9.3
Critical

CVE-2025-25306

security-advisories@github.com
Awaiting Analysis
View on MITREFind on GitHub

Description

Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the `id` and `url` fields of ActivityPub objects. An attacker can forge an object where they claim authority in the `url` field even if the specific ActivityPub object type require authority in the `id` field. Version 2025.2.1 addresses the issue.

Exploits

No known exploits found for this CVE.

Search Exploit-DB

References

security-advisories@github.com
https://github.com/misskey-dev/misskey/releases/tag/2025.2.1
security-advisories@github.com
https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26