CVE-2025-46340 in misskey
Summary
by MITRE • 05/05/2025
Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, due to an oversight in the validation performed in `UrlPreviewService` and `MkUrlPreview`, it is possible for an attacker to inject arbitrary CSS into the `MkUrlPreview` component. `UrlPreviewService.wrap` falls back to returning the original URL if it's using a protocol that is likely to not be understood by Misskey, IE something other than `http` or `https`. This both can de-anonymize users and_allow further attacks in the client. Additionally, `MkUrlPreview` doesn't escape CSS when applying a `background-image` property, allowing an attacker to craft a URL that applies arbitrary styles to the preview element. Theoretically, an attacker can craft a CSS injection payload to create a fake error message that can deceive the user into giving away their credentials or similar sensitive information. Version 2025.4.1 contains a patch for the issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/03/2025
The vulnerability identified as CVE-2025-46340 affects Misskey, an open source federated social media platform that operates under the principles of distributed social networking. This security flaw exists within the URL preview functionality of the platform, specifically within the `UrlPreviewService` and `MkUrlPreview` components. The issue stems from inadequate input validation and sanitization mechanisms that fail to properly handle user-supplied URLs, creating a vector for malicious actors to manipulate the platform's visual presentation elements. The vulnerability impacts versions starting from 12.0.0 up to but not including 2025.4.1, representing a significant portion of the platform's release history where users were exposed to potential security risks.
The technical implementation of this vulnerability occurs through a combination of protocol handling and CSS injection mechanisms within the URL preview system. When `UrlPreviewService.wrap` encounters a URL using protocols other than http or https, it falls back to returning the original URL without proper sanitization. This fallback behavior creates an entry point for attackers to inject malicious content that can be executed within the preview component. The `MkUrlPreview` component particularly suffers from insufficient escaping of CSS content when applying background-image properties, allowing attackers to inject arbitrary CSS rules that can modify the visual appearance of the preview element. This CSS injection capability enables attackers to manipulate the presentation of web content in ways that can deceive users through visual manipulation techniques.
The operational impact of this vulnerability extends beyond simple visual deception to encompass serious privacy and security implications for users. The ability to de-anonymize users represents a significant privacy concern, as attackers can potentially track user behavior or identify individuals through manipulated preview elements. More critically, the vulnerability enables sophisticated social engineering attacks where attackers can craft convincing fake error messages or misleading interface elements designed to trick users into revealing sensitive information such as login credentials, personal data, or financial details. This represents a direct threat to user security and platform integrity, particularly in a federated environment where trust between instances is paramount. The vulnerability's potential for credential theft and user deception aligns with attack patterns documented in the MITRE ATT&CK framework under the credential access and defense evasion categories, specifically leveraging techniques for user interface manipulation and social engineering.
The mitigation for this vulnerability requires updating to version 2025.4.1 or later, which includes proper input validation and sanitization mechanisms for URL previews. Security practitioners should implement additional monitoring for suspicious URL patterns and ensure that all user-generated content undergoes proper sanitization before being rendered in web interfaces. The fix addresses the core issue by implementing proper CSS escaping and protocol validation within the `UrlPreviewService` and `MkUrlPreview` components, preventing arbitrary CSS injection while maintaining the platform's intended functionality. This vulnerability demonstrates the importance of proper input validation and output escaping in web applications, particularly in federated systems where content from untrusted sources must be carefully handled to prevent both privacy breaches and security exploitation. The issue aligns with CWE-79, which addresses cross-site scripting vulnerabilities, and represents a classic example of how insufficient sanitization can lead to serious security consequences in web applications. Organizations using Misskey should also consider implementing additional security controls such as content security policies and regular security audits to prevent similar vulnerabilities from emerging in other components of their federated social media infrastructure.