Authentication Bypass Vulnerability in Misskey Social Media Platform
CVE-2025-25306
9.3CRITICAL
What is CVE-2025-25306?
The Misskey social media platform is affected by an authentication bypass vulnerability due to insufficient validation of relationships between the 'id' and 'url' fields of ActivityPub objects. An attacker can exploit this flaw by crafting a malicious object that falsely claims authority in the 'url' field, circumventing essential access controls established in the 'id' field. This issue has been addressed in version 2025.2.1, which includes a security patch that fortifies the validation logic to mitigate this risk.
Affected Version(s)
misskey < 2025.2.1
