Vulnerability Description
Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Misskey | Misskey | < 2024.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/srProduct
- https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/srProduct
- https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/srProduct
- https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69Patch
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32Vendor Advisory
- https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/srProduct
- https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/srProduct
- https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/srProduct
- https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69Patch
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32Vendor Advisory
FAQ
What is CVE-2024-25636?
CVE-2024-25636 is a vulnerability with a CVSS score of 7.1 (HIGH). Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the respon...
How severe is CVE-2024-25636?
CVE-2024-25636 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-25636?
Check the references section above for vendor advisories and patch information. Affected products include: Misskey Misskey.