Arbitrary file upload in Misskey-dev Misskey
CVE-2024-25636
Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Conten…
Vulnerability class: Unrestricted File Upload
EPSS: 0.002 (43.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N.
Affected products
- Misskey-dev Misskey — versions < 2024.2.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32 (x_refsource_CONFIRM)
- https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a (x_refsource_MISC)
- https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119 (x_refsource_MISC)
- https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308 (x_refsource_MISC)
- https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2024-25636?
- CVE-2024-25636 is a high-severity vulnerability in Misskey-dev Misskey, classified under Unrestricted Upload of File with Dangerous Type. CVSS score: 7.1/10. Published 2024-02-19.
- How severe is CVE-2024-25636?
- High severity. CVSS v3 base score is 7.1 out of 10.
- Is CVE-2024-25636 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.