CVE-2023-52077 – Nexkey, a lightweight fork of Misskey, allowed ... (How to Fix)

Q: What is the severity of CVE-2023-52077?

CVE-2023-52077 has a CVSS score of 8.9 (HIGH). Nexkey, a lightweight fork of Misskey, allowed external applications using administrator or moderator tokens to call administrative APIs. This vulnerability enables malicious third-party apps to modify server settings and potentially compromise sensitive credentials like object storage and email server access. All Nexkey servers running versions prior to 12.23Q4.5 are affected.

📋 TL;DR

Nexkey, a lightweight fork of Misskey, allowed external applications using administrator or moderator tokens to call administrative APIs. This vulnerability enables malicious third-party apps to modify server settings and potentially compromise sensitive credentials like object storage and email server access. All Nexkey servers running versions prior to 12.23Q4.5 are affected.

💻 Affected Systems

Products:

Nexkey

Versions: All versions prior to 12.23Q4.5

Operating Systems: Any OS running Nexkey

Default Config Vulnerable: ⚠️ Yes

Notes: This vulnerability affects the default configuration of Nexkey. The issue stems from improper authorization checks for admin APIs when called by external applications using admin/moderator tokens.

📦 What is this software?

Nexkey by Nexryai

View all CVEs affecting Nexkey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover: attackers could reconfigure server settings, steal object storage credentials (potentially exposing all stored files), compromise email server credentials, and perform other administrative actions leading to data breach and service disruption.

🟠

Likely Case

Unauthorized administrative actions: malicious apps could modify server configurations, disable security features, or access sensitive administrative functions without proper authorization.

🟢

If Mitigated

Limited impact if proper token management and app review processes are in place, though the vulnerability still represents a significant privilege escalation risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires an attacker to trick an administrator or moderator into authorizing a malicious third-party application, or compromise an existing authorized application. Once authorized, the malicious app can call admin APIs using the granted token.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.23Q4.5

Vendor Advisory: https://github.com/nexryai/nexkey/security/advisories/GHSA-pjj7-7hcj-9cpc

Restart Required: Yes

Instructions:

1. Backup your Nexkey instance and database. 2. Update to version 12.23Q4.5 or later using your package manager or by pulling the latest code from the repository. 3. Restart the Nexkey service. 4. Verify the update was successful by checking the version.

🔧 Temporary Workarounds

Revoke all third-party application tokens

all

Immediately revoke all tokens issued to third-party applications, especially those granted to administrators and moderators.

Navigate to Settings > Security > Sessions in your Nexkey instance and revoke all third-party application tokens

Restrict admin/moderator token usage

all

Temporarily disable or restrict the ability for administrators and moderators to authorize third-party applications.

Modify configuration to disable OAuth/API token generation for privileged users until patched

🧯 If You Can't Patch

Immediately revoke all third-party application tokens issued to administrators and moderators
Implement network-level controls to restrict API access from external applications
Monitor admin API logs for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check your Nexkey version. If it's earlier than 12.23Q4.5, you are vulnerable.

Check Version:

Check the version in the Nexkey web interface under Settings > About, or examine the package version in your system's package manager.

Verify Fix Applied:

After updating, verify the version is 12.23Q4.5 or later and test that third-party applications can no longer call admin APIs with regular user tokens.

📡 Detection & Monitoring

Log Indicators:

Unauthorized admin API calls from third-party applications
Admin API access from non-admin user contexts
Suspicious configuration changes via API

Network Indicators:

External applications making requests to admin API endpoints
Unusual API call patterns to sensitive endpoints

SIEM Query:

source="nexkey" AND (api_endpoint="/api/admin/*" OR api_endpoint="/api/moderator/*") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2023-52077

CVSS v3 Score: 8.9 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

CWE: CWE-863

Published: December 27, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-52077, you might also want to check these: