CVE-2025-25306

Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the id and url fields of ActivityPub objects. An attacker can forge an object where they claim authority in the url field even if the specific ActivityPub object type require authority in the id field. Version 2025.2.1 addresses the issue.

Weakness

The product does not properly verify that the source of data or communication is valid.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/111.html
• https://cwe.mitre.org/data/definitions/141.html
• https://cwe.mitre.org/data/definitions/142.html
• https://cwe.mitre.org/data/definitions/160.html
• https://cwe.mitre.org/data/definitions/21.html
• https://cwe.mitre.org/data/definitions/384.html
• https://cwe.mitre.org/data/definitions/385.html
• https://cwe.mitre.org/data/definitions/386.html
• https://cwe.mitre.org/data/definitions/387.html
• https://cwe.mitre.org/data/definitions/388.html
• https://cwe.mitre.org/data/definitions/510.html
• https://cwe.mitre.org/data/definitions/59.html
• https://cwe.mitre.org/data/definitions/60.html
• https://cwe.mitre.org/data/definitions/75.html
• https://cwe.mitre.org/data/definitions/76.html
• https://cwe.mitre.org/data/definitions/89.html

References

• https://github.com/misskey-dev/misskey/releases/tag/2025.2.1
• https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26