CVE-2025-46559

HIGH EPSS 28.8%
Published May 5, 20251y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published May 5, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in `Mk:api` allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. The missing validation allows malicious AiScript code to prefix a URL with `../` to step out of the `/api` directory, thereby being able to make requests to other endpoints, such as `/files`, `/url`, and `/proxy`. Version 2025.4.1 fixes the issue.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
28.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 1

VendorProductVersionRange
misskeymisskey*≥12.31.0  –  <2025.4.1

References 2

  • github.com https://github.com/misskey-dev/misskey/commit/583df3ec63e25a1fd34def0dac13405396b8b663
    Patch
  • github.com https://github.com/misskey-dev/misskey/security/advisories/GHSA-gmq6-738q-vjp2
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/misskey-dev/misskey/commit/583df3ec63e25a1fd34def0dac13405396b8b663
    Patch