CVE-2025-25306 Information
Description
Misskey is an open source federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the id and url fields of ActivityPub objects. An attacker can forge an object where they claim authority in the url field even if the specific ActivityPub object type require authority in the id field. Version 2025.2.1 addresses the issue.
Reference
https://github.com/misskey-dev/misskey/releases/tag/2025.2.1
https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26
Misskey
is
an
open
source
federated
social
media
platform.
The
patch
for
CVE-2024-52591
did
not
sufficiently
validate
the
relation
between
the
id
and
url
fields
of
ActivityPub
objects.
An
attacker
can
forge
an
object
where
they
claim
authority
in
the
url
field
even
if
the
specific
ActivityPub
object
type
require
authority
in
the
id
field.
Version
2025.2.1
addresses
the
issue.