CVE-2025-46559 Information
Description
Misskey is an open source federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1 missing validation in Mk:api allows malicious AiScript code to access additional endpoints that it isn’t designed to have access to. The missing validation allows malicious AiScript code to prefix a URL with ../ to step out of the /api directory thereby being able to make requests to other endpoints such as /files /url and /proxy. Version 2025.4.1 fixes the issue.
Reference
https://github.com/misskey-dev/misskey/commit/583df3ec63e25a1fd34def0dac13405396b8b663
https://github.com/misskey-dev/misskey/security/advisories/GHSA-gmq6-738q-vjp2
Misskey
is
an
open
source
federated
social
media
platform.
Starting
in
version
12.31.0
and
prior
to
version
2025.4.1
missing
validation
in
Mk:api
allows
malicious
AiScript
code
to
access
additional
endpoints
that
it
isn’t
designed
to
have
access
to.
The
missing
validation
allows
malicious
AiScript
code
to
prefix
a
URL
with
../
to
step
out
of
the
/api
directory
thereby
being
able
to
make
requests
to
other
endpoints
such
as
/files
/url
and
/proxy.
Version
2025.4.1
fixes
the
issue.