IP Rate Limiting Bypass in Misskey by Untrusted Reverse Proxy
CVE-2025-66482

6.9MEDIUM

Key Information:

Vendor

Misskey-dev

Status
Misskey
Vendor
CVE Published:
15 December 2025

What is CVE-2025-66482?

Misskey, an open-source federated social media platform, is susceptible to an IP rate limiting bypass vulnerability when used with an untrusted reverse proxy. Attackers can exploit this flaw by injecting a forged X-Forwarded-For header, potentially allowing them to bypass security measures designed to limit request rates. In versions starting from 2025.9.1, a configuration option called trustProxy was introduced to address this issue. Unfortunately, the default setting for this option is insecure, making systems vulnerable if not manually configured before version 2025.12.0-alpha.2. In the latest update, this setting defaults to false, mitigating the risk for users who utilize a trusted reverse proxy. Users running affected versions should ensure that their configurations are correctly set to prevent exploitation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

misskey >= 2025.9.1, < 2025.12.0-alpha.2

References

https://github.com/misskey-dev/misskey/security/advisorie...
x_refsource_CONFIRM
https://github.com/misskey-dev/misskey/commit/5512898463f...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.