
We found results for “”
CVE-2025-25306
Date: March 10, 2025
Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the "id" and "url" fields of ActivityPub objects. An attacker can forge an object where they claim authority in the "url" field even if the specific ActivityPub object type require authority in the "id" field. Version 2025.2.1 addresses the issue.
Severity Score
Severity Score
Weakness Type (CWE)
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | CHANGED |
Confidentiality (C): | LOW |
Integrity (I): | HIGH |
Availability (A): | NONE |