CVE-2023-25154 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2023-25154?

CVE-2023-25154 has a CVSS score of 7.1 (HIGH). This vulnerability allows attackers to execute arbitrary JavaScript code in victims' browsers by exploiting improper URL validation in Misskey's ActivityPub implementation. It affects all Misskey instances running versions before 13.5.0. Attackers can craft malicious links that execute when users view content from untrusted remote instances.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary JavaScript code in victims' browsers by exploiting improper URL validation in Misskey's ActivityPub implementation. It affects all Misskey instances running versions before 13.5.0. Attackers can craft malicious links that execute when users view content from untrusted remote instances.

💻 Affected Systems

Products:

Misskey

Versions: All versions prior to 13.5.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with ActivityPub federation enabled (default).

📦 What is this software?

Misskey by Misskey

View all CVEs affecting Misskey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, data theft, session hijacking, and further server compromise through client-side attacks.

🟠

Likely Case

Session hijacking, account compromise, data exfiltration, and malicious actions performed as the victim user.

🟢

If Mitigated

Limited impact with proper content security policies and user awareness, but still potentially dangerous.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires victims to view malicious content from attacker-controlled instances.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.5.0

Vendor Advisory: https://github.com/misskey-dev/misskey/security/advisories/GHSA-pfp5-r48x-fg25

Restart Required: Yes

Instructions:

1. Backup your instance data. 2. Update Misskey to version 13.5.0 or later using your package manager or git pull. 3. Run 'pnpm install' to update dependencies. 4. Restart the Misskey service.

🔧 Temporary Workarounds

Disable Remote Viewing

all

Prevent users from viewing content on remote instances where the vulnerability could be triggered.

Content Security Policy

linux

Implement strict CSP headers to block inline JavaScript and restrict script sources.

add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;

🧯 If You Can't Patch

Disable ActivityPub federation entirely if not required
Educate users to never use 'view on remote' feature for untrusted instances

🔍 How to Verify

Check if Vulnerable:

Check if Misskey version is below 13.5.0 in admin panel or via package manager.

Check Version:

cat package.json | grep version

Verify Fix Applied:

Confirm version is 13.5.0 or higher and test that javascript: URLs are properly sanitized in remote content.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution in user sessions
Multiple failed URL validation attempts

Network Indicators:

Suspicious javascript: scheme URLs in ActivityPub payloads

SIEM Query:

source="misskey.log" AND "javascript:" AND "remote"

📊 Metadata

CVE ID: CVE-2023-25154

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

Published: February 22, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/misskey-dev/misskey/security/advisories/GHSA-pfp5-r48x-fg25 Vendor Advisory
https://github.com/misskey-dev/misskey/security/advisories/GHSA-pfp5-r48x-fg25 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25154, you might also want to check these: