6.9

CVE-2025-66482

Exploit
Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (`trustProxy`) has been added in config file to prevent this from happening. However, it is initialized with an insecure default value before version 2025.12.0-alpha.2, making it still vulnerable if the configuration is not set correctly. This is patched in v2025.12.0-alpha.2 by flipping default value of `trustProxy` to `false`. Users of a trusted reverse proxy who are unsure if they manually overode this value should check their config for optimal behavior. Users are running Misskey with a trusted reverse proxy should not be affected by this vulnerability. From v2025.9.1 to v2025.11.1, workaround is available. Set `trustProxy: false` in config file.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MisskeyMisskey Version >= 13.1.0 < 2025.12.0
MisskeyMisskey Version13.0.0 Update-
MisskeyMisskey Version13.0.0 Updatebeta16
MisskeyMisskey Version13.0.0 Updatebeta21
MisskeyMisskey Version13.0.0 Updatebeta22
MisskeyMisskey Version13.0.0 Updatebeta23
MisskeyMisskey Version13.0.0 Updatebeta24
MisskeyMisskey Version13.0.0 Updatebeta25
MisskeyMisskey Version13.0.0 Updatebeta26
MisskeyMisskey Version13.0.0 Updatebeta27
MisskeyMisskey Version13.0.0 Updatebeta28
MisskeyMisskey Version13.0.0 Updatebeta29
MisskeyMisskey Version13.0.0 Updatebeta30
MisskeyMisskey Version13.0.0 Updatebeta31
MisskeyMisskey Version13.0.0 Updatebeta32
MisskeyMisskey Version13.0.0 Updatebeta33
MisskeyMisskey Version13.0.0 Updatebeta34
MisskeyMisskey Version13.0.0 Updatebeta35
MisskeyMisskey Version13.0.0 Updatebeta36
MisskeyMisskey Version13.0.0 Updatebeta37
MisskeyMisskey Version13.0.0 Updatebeta38
MisskeyMisskey Version13.0.0 Updatebeta39
MisskeyMisskey Version13.0.0 Updatebeta40
MisskeyMisskey Version13.0.0 Updatebeta41
MisskeyMisskey Version13.0.0 Updatebeta42
MisskeyMisskey Version13.0.0 Updatebeta43
MisskeyMisskey Version13.0.0 Updaterc1
MisskeyMisskey Version13.0.0 Updaterc10
MisskeyMisskey Version13.0.0 Updaterc11
MisskeyMisskey Version13.0.0 Updaterc2
MisskeyMisskey Version13.0.0 Updaterc3
MisskeyMisskey Version13.0.0 Updaterc4
MisskeyMisskey Version13.0.0 Updaterc5
MisskeyMisskey Version13.0.0 Updaterc6
MisskeyMisskey Version13.0.0 Updaterc7
MisskeyMisskey Version13.0.0 Updaterc8
MisskeyMisskey Version13.0.0 Updaterc9
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.08% 0.228
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
security-advisories@github.com 6.9 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-1188 Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

CWE-307 Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.