Login Sign Up

CVE-2021-39195

7.7 HIGH
SSRF

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Misskey's 'Upload from URL' and remote attachment features. Attackers can exploit this to make the server send requests to internal network resources, potentially exposing sensitive information. All Misskey instances running affected versions are vulnerable.

💻 Affected Systems

Products:
  • Misskey
Versions: Versions before 12.90.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Proxy configurations require additional measures even after patching to 12.90.0.

📦 What is this software?

Misskey by Misskey

View all CVEs affecting Misskey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disclosure of internal network services, credentials, or sensitive data through SSRF to internal endpoints.

🟠

Likely Case

Information disclosure from internal services accessible to the Misskey server, potentially including metadata or configuration data.

🟢

If Mitigated

Limited or no impact if network segmentation prevents access to sensitive internal resources.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

SSRF vulnerabilities are commonly exploited and tooling exists for automated exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.90.0

Vendor Advisory: https://github.com/misskey-dev/misskey/security/advisories/GHSA-mqv7-gxh4-r5vf

Restart Required: Yes

Instructions:

1. Backup your Misskey instance. 2. Update to version 12.90.0 or later using your package manager or manual update. 3. Restart the Misskey service. 4. If using a proxy, implement additional network restrictions as described in the advisory.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict the Misskey server's access to internal networks to prevent SSRF exploitation.

Use firewall rules to block outbound connections from Misskey to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Misskey from internal resources
  • Disable 'Upload from URL' and remote attachment features if not required

🔍 How to Verify

Check if Vulnerable:

Check your Misskey version - if it's below 12.90.0, you are vulnerable.

Check Version:

Check the Misskey admin panel or configuration files for version information

Verify Fix Applied:

Confirm version is 12.90.0 or higher and test that SSRF attempts to internal addresses are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from Misskey to internal IP addresses
  • Failed upload attempts with suspicious URLs

Network Indicators:

  • HTTP requests from Misskey server to internal network segments
  • Unusual traffic patterns from application server

SIEM Query:

source="misskey-logs" AND (url CONTAINS "10." OR url CONTAINS "172." OR url CONTAINS "192.168.")

📊 Metadata

CVE ID: CVE-2021-39195
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-918
Published: September 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39195, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)