CVE-2025-46340 – This CVE describes a CSS injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-46340?

CVE-2025-46340 has a CVSS score of 7.2 (HIGH). This CVE describes a CSS injection vulnerability in Misskey's URL preview functionality. Attackers can inject arbitrary CSS to create fake error messages that could deceive users into revealing credentials or sensitive information. All Misskey instances running versions 12.0.0 through 2025.4.0 are affected.

📋 TL;DR

This CVE describes a CSS injection vulnerability in Misskey's URL preview functionality. Attackers can inject arbitrary CSS to create fake error messages that could deceive users into revealing credentials or sensitive information. All Misskey instances running versions 12.0.0 through 2025.4.0 are affected.

💻 Affected Systems

Products:

Misskey

Versions: 12.0.0 through 2025.4.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with URL preview functionality enabled are vulnerable. The vulnerability affects both self-hosted and federated instances.

📦 What is this software?

Misskey by Misskey

View all CVEs affecting Misskey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could create convincing phishing interfaces within the Misskey application, leading to credential theft, account takeover, and potential lateral movement within federated networks.

🟠

Likely Case

Attackers create deceptive UI elements to trick users into clicking malicious links or revealing sensitive information through social engineering.

🟢

If Mitigated

With proper content security policies and user awareness, impact is limited to visual deception without direct code execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting malicious URLs that trigger the CSS injection. No authentication is needed as the vulnerability is in URL preview processing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.4.1

Vendor Advisory: https://github.com/misskey-dev/misskey/security/advisories/GHSA-3p2w-xmv5-jm95

Restart Required: Yes

Instructions:

1. Update Misskey to version 2025.4.1 or later. 2. Run database migrations if required. 3. Restart the Misskey service. 4. Verify the patch is applied by checking the version.

🔧 Temporary Workarounds

Disable URL Previews

all

Temporarily disable URL preview functionality to prevent exploitation

Edit Misskey configuration to set 'enableUrlPreview' to false

Implement CSP Headers

all

Add Content Security Policy headers to restrict CSS execution

Add 'Content-Security-Policy: style-src 'self'' to web server configuration

🧯 If You Can't Patch

Implement strict Content Security Policy headers to limit CSS execution
Disable URL preview functionality entirely in configuration

🔍 How to Verify

Check if Vulnerable:

Check if Misskey version is between 12.0.0 and 2025.4.0 inclusive

Check Version:

Check Misskey admin panel or run: cat package.json | grep version

Verify Fix Applied:

Confirm version is 2025.4.1 or later and test URL preview functionality with test payloads

📡 Detection & Monitoring

Log Indicators:

Unusual URL patterns in access logs
Multiple failed URL preview generation attempts
Suspicious CSS-like patterns in request parameters

Network Indicators:

Requests with unusual protocols in URLs
URLs containing CSS injection patterns

SIEM Query:

source="misskey-logs" AND (url="*data:*" OR url="*javascript:*" OR message="*background-image:*")

📊 Metadata

CVE ID: CVE-2025-46340

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-20

EPSS Score: 0.07% exploit probability (21.6th percentile)

Published: May 5, 2025

Last Updated: September 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46340, you might also want to check these: