CVE-2025-25306 – This vulnerability in Misskey allows attackers ... (How to Fix)

Q: What is the severity of CVE-2025-25306?

CVE-2025-25306 has a CVSS score of 9.3 (CRITICAL). This vulnerability in Misskey allows attackers to forge ActivityPub objects by manipulating the relationship between 'id' and 'url' fields, bypassing authorization checks. It affects all Misskey instances running vulnerable versions, potentially enabling unauthorized actions. The issue stems from insufficient validation of the patch for CVE-2024-52591.

📋 TL;DR

This vulnerability in Misskey allows attackers to forge ActivityPub objects by manipulating the relationship between 'id' and 'url' fields, bypassing authorization checks. It affects all Misskey instances running vulnerable versions, potentially enabling unauthorized actions. The issue stems from insufficient validation of the patch for CVE-2024-52591.

💻 Affected Systems

Products:

Misskey

Versions: All versions before 2025.2.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Misskey instances regardless of configuration, as the vulnerability is in core ActivityPub handling.

📦 What is this software?

Misskey by Misskey

View all CVEs affecting Misskey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, unauthorized content manipulation, or federation-wide impersonation attacks across the ActivityPub network.

🟠

Likely Case

Unauthorized posting, content deletion, or account manipulation on vulnerable Misskey instances.

🟢

If Mitigated

Limited impact with proper input validation and ActivityPub object verification in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires understanding of ActivityPub protocol and object structure, but no authentication is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.2.1

Vendor Advisory: https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26

Restart Required: Yes

Instructions:

1. Backup your Misskey instance. 2. Update to version 2025.2.1 via git pull or package manager. 3. Run 'pnpm install' to update dependencies. 4. Restart the Misskey service.

🔧 Temporary Workarounds

Temporary ActivityPub Filtering

all

Implement network filtering to block suspicious ActivityPub objects with mismatched id/url fields

🧯 If You Can't Patch

Implement strict input validation for all ActivityPub objects
Monitor logs for suspicious ActivityPub object patterns and block offending sources

🔍 How to Verify

Check if Vulnerable:

Check if Misskey version is earlier than 2025.2.1

Check Version:

Check package.json or run 'git log --oneline -1' in Misskey directory

Verify Fix Applied:

Confirm version is 2025.2.1 or later and test ActivityPub object validation

📡 Detection & Monitoring

Log Indicators:

Unusual ActivityPub object processing
Authorization bypass attempts in ActivityPub handlers

Network Indicators:

Suspicious ActivityPub payloads with manipulated id/url fields

SIEM Query:

source="misskey" AND ("ActivityPub" OR "authorization bypass")

📊 Metadata

CVE ID: CVE-2025-25306

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

CWE: CWE-346

EPSS Score: 0.05% exploit probability (16.4th percentile)

Published: March 10, 2025

Last Updated: November 26, 2025

🔗 References

https://github.com/misskey-dev/misskey/releases/tag/2025.2.1 Patch
https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25306, you might also want to check these: