CVE-2025-46559 in misskeyinfo

Summary

by MITRE • 05/05/2025

Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in `Mk:api` allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. The missing validation allows malicious AiScript code to prefix a URL with `../` to step out of the `/api` directory, thereby being able to make requests to other endpoints, such as `/files`, `/url`, and `/proxy`. Version 2025.4.1 fixes the issue.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 09/03/2025

The vulnerability identified as CVE-2025-46559 affects Misskey, an open source federated social media platform that enables users to create and share content across interconnected instances. This security flaw resides in the Mk:api component which serves as the application programming interface for automated interactions within the platform. The vulnerability specifically impacts versions beginning with 12.31.0 through the version prior to 2025.4.1, creating a path for unauthorized access to restricted endpoints through improper input validation mechanisms. The issue manifests when malicious AiScript code attempts to exploit path traversal vulnerabilities by prepending URL paths with '../' sequences to escape the designated API directory boundaries.

The technical implementation of this vulnerability stems from insufficient validation of user-supplied input within the Mk:api processing pipeline. When AiScript code is executed, it receives a request to access specific API endpoints but lacks proper boundary checking mechanisms that should prevent path traversal attacks. The malicious code exploits this weakness by appending '../' sequences to API endpoint paths, effectively navigating upward through the directory structure beyond the intended '/api' namespace. This allows the compromised AiScript to access sensitive endpoints including '/files' which contains file management capabilities, '/url' for URL processing functions, and '/proxy' for proxy-related operations that could potentially expose the underlying infrastructure or allow unauthorized data access.

The operational impact of this vulnerability extends beyond simple privilege escalation as it creates potential pathways for data exfiltration, unauthorized file access, and system reconnaissance. Attackers could leverage this flaw to access file storage systems and potentially retrieve sensitive user data, manipulate file operations, or exploit the proxy functionality to conduct further attacks against other systems. The vulnerability represents a classic path traversal attack pattern that can be classified under CWE-22 Path Traversal and aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter. The exposed endpoints provide attackers with multiple vectors for exploitation, with '/files' potentially offering access to uploaded content and '/proxy' capable of being used for external network reconnaissance or attack routing.

Mitigation strategies for this vulnerability involve upgrading to version 2025.4.1 or later where the validation mechanisms have been properly implemented to prevent path traversal attacks. System administrators should also implement additional security measures such as input sanitization for API requests, network segmentation to limit access to sensitive endpoints, and monitoring for suspicious API access patterns. The fix implemented in version 2025.4.1 likely includes proper validation of URL paths to ensure they remain within the designated API directory boundaries and rejects any attempts to traverse above the intended namespace. Organizations should conduct thorough security assessments of their Misskey installations to verify proper patching and implement comprehensive logging of API access to detect potential exploitation attempts. Regular security updates and vulnerability scanning should be maintained to prevent similar issues from arising in the future, particularly focusing on input validation and access control mechanisms within API frameworks.

Responsible

GitHub M

Reservation

04/24/2025

Disclosure

05/05/2025

Moderation

accepted

CPE

ready

EPSS

0.00370

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!