CVE-2024-32983 – This vulnerability in Misskey allows attackers ... (How to Fix)

Q: What is the severity of CVE-2024-32983?

CVE-2024-32983 has a CVSS score of 8.2 (HIGH). This vulnerability in Misskey allows attackers to spoof signed ActivityPub activity objects by exploiting improper JSON normalization. Attackers can impersonate legitimate users and post content as them. All Misskey instances running vulnerable versions are affected.

📋 TL;DR

This vulnerability in Misskey allows attackers to spoof signed ActivityPub activity objects by exploiting improper JSON normalization. Attackers can impersonate legitimate users and post content as them. All Misskey instances running vulnerable versions are affected.

💻 Affected Systems

Products:

Misskey

Versions: All versions before 2024.5.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All Misskey instances that process ActivityPub activities are vulnerable regardless of configuration.

📦 What is this software?

Misskey by Misskey

View all CVEs affecting Misskey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover where attackers can post malicious content, spread misinformation, or perform actions as any user on the federated network.

🟠

Likely Case

Impersonation attacks where attackers post content appearing to come from legitimate users, damaging reputations and spreading misinformation.

🟢

If Mitigated

Limited impact with proper monitoring and quick detection of anomalous activity patterns.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires understanding of ActivityPub protocol and JSON manipulation but no authentication is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.5.0

Vendor Advisory: https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj

Restart Required: Yes

Instructions:

1. Backup your Misskey instance. 2. Update to version 2024.5.0 or later using your package manager or git pull. 3. Run database migrations if required. 4. Restart the Misskey service.

🔧 Temporary Workarounds

Temporary ActivityPub Inbound Block

all

Block incoming ActivityPub activities to prevent exploitation while patching

Configure firewall to block inbound ActivityPub traffic or disable ActivityPub federation temporarily

🧯 If You Can't Patch

Implement strict monitoring for anomalous posting patterns and impersonation attempts
Consider temporarily disabling ActivityPub federation features

🔍 How to Verify

Check if Vulnerable:

Check if Misskey version is below 2024.5.0

Check Version:

Check package.json or run: node -e "console.log(require('./package.json').version)" in Misskey directory

Verify Fix Applied:

Confirm version is 2024.5.0 or higher and test ActivityPub functionality

📡 Detection & Monitoring

Log Indicators:

Unusual ActivityPub activity patterns
Posts from users with mismatched signatures
Spike in impersonation reports

Network Indicators:

Malformed JSON in ActivityPub requests
Suspicious federation activity

SIEM Query:

source="misskey" AND ("ActivityPub" OR "federation") AND ("error" OR "malformed" OR "signature")

📊 Metadata

CVE ID: CVE-2024-32983

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CWE: CWE-863

Published: June 3, 2024

Last Updated: November 25, 2025

🔗 References

https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88 Patch
https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj Exploit,Vendor Advisory
https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88 Patch
https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32983, you might also want to check these: