exploitDog

CVE-2025-25306

Опубликовано: 10 мар. 2025

Источник: nvd

CVSS3: 9.3

EPSS Низкий

Описание

Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the id and url fields of ActivityPub objects. An attacker can forge an object where they claim authority in the url field even if the specific ActivityPub object type require authority in the id field. Version 2025.2.1 addresses the issue.

Ссылки

https://github.com/misskey-dev/misskey/releases/tag/2025.2.1
Patch
https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*

Версия до 2025.2.1 (исключая)

EPSS

Процентиль: 17%

0.00053

Низкий

9.3 Critical

CVSS3

Дефекты

CWE-346

EPSS

Процентиль: 17%

0.00053

Низкий

9.3 Critical

CVSS3

Дефекты

CWE-346