Authentication Bypass Vulnerability in Misskey Social Media Platform
CVE-2025-25306

9.3CRITICAL

Key Information:

Vendor: Misskey-dev
Status: Misskey
Vendor: CVE Published:; 10 March 2025

🔔 Create Misskey-dev Vulnerability Alert

What is CVE-2025-25306?

The Misskey social media platform is affected by an authentication bypass vulnerability due to insufficient validation of relationships between the 'id' and 'url' fields of ActivityPub objects. An attacker can exploit this flaw by crafting a malicious object that falsely claims authority in the 'url' field, circumventing essential access controls established in the 'id' field. This issue has been addressed in version 2025.2.1, which includes a security patch that fortifies the validation logic to mitigate this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

misskey < 2025.2.1

References

https://github.com/misskey-dev/misskey/security/advisorie...

x_refsource_CONFIRM

https://github.com/misskey-dev/misskey/releases/tag/2025.2.1

x_refsource_MISC

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2025
Vulnerability Reserved
Feb 6, 2025

JSON

Misskey-dev