- Description
- Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the `id` and `url` fields of ActivityPub objects. An attacker can forge an object where they claim authority in the `url` field even if the specific ActivityPub object type require authority in the `id` field. Version 2025.2.1 addresses the issue.
- Source
- security-advisories@github.com
- NVD status
- Received
CVSS 3.1
- Type
- Secondary
- Base score
- 9.3
- Impact score
- 4.7
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-346
- Hype score
- Not currently trending
🚨 CVE-2025-25306 ⚠️🔴 CRITICAL (9.3) 🏢 misskey-dev - misskey 🏗️ < 2025.2.1 🔗 https://t.co/SIAWyqnzLp 🔗 https://t.co/0NtWQWXUY5 #CyberCron #VulnAlert #InfoSec https://t.co/kchO3ol3gP
@cybercronai
12 Mar 2025
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
New post from https://t.co/uXvPWJy6tj (CVE-2025-25306 | misskey up to 2025.2.0-alpha.0 ActivityPub id origin validation (GHSA-6w2c-vf6f-xf26)) has been published on https://t.co/owlABWlClW
@WolfgangSesin
10 Mar 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-25306 Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the `id` and `url` fields … https://t.co/tHPG80M9rT
@CVEnew
10 Mar 2025
379 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-25306: CRITICAL] A patch for a CVE in Misskey's ActivityPub validation process was released in Version 2025.2.1 to prevent attackers from forging objects and gaining unauthorized authority.#cybersecurity,#vulnerability https://t.co/mZwqofpAIT https://t.co/id5m7rklpt
@CveFindCom
10 Mar 2025
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes