CVE-2025-66402

6.5 MEDIUM

Authentication Bypass

📋 TL;DR

This vulnerability in Misskey allows unauthorized users to export and view posts from favorites or clips they shouldn't have access to. It affects Misskey instances running versions from 13.0.0-beta.16 up to but not including 2025.12.0. This is an authorization bypass issue where export functionality doesn't properly check permissions.

💻 Affected Systems

Products:

Misskey

Versions: 13.0.0-beta.16 to 2025.12.0 (exclusive)

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Misskey instances with the export feature enabled. The vulnerability is in the core platform and affects all deployments regardless of configuration.

📦 What is this software?

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

Misskey by Misskey

View all CVEs affecting Misskey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized actors could export and view all private/sensitive posts from any user's favorites or clips, potentially exposing confidential information, private communications, or sensitive content.

🟠

Likely Case

Attackers with basic user accounts could access and export posts from other users' private favorites/clips, violating privacy expectations and potentially exposing sensitive content.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to unauthorized viewing of posts that should have been private, but no modification or deletion capabilities.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires at least a basic user account but no special permissions. The vulnerability is straightforward to exploit once identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.12.0

Vendor Advisory: https://github.com/misskey-dev/misskey/security/advisories/GHSA-496g-mmpw-j9x3

Restart Required: Yes

Instructions:

1. Backup your Misskey instance. 2. Update Misskey to version 2025.12.0 or later using your preferred update method (git pull, package manager, or manual update). 3. Run database migrations if required. 4. Restart the Misskey service.

🔧 Temporary Workarounds

Disable Export Feature

all

Temporarily disable the export functionality for favorites and clips until patching is possible.

# Modify Misskey configuration to disable export features
# Check Misskey documentation for specific configuration options

🧯 If You Can't Patch

Implement strict access controls and monitoring for export-related API endpoints
Consider temporarily disabling user access to export features through configuration or reverse proxy rules

🔍 How to Verify

Check if Vulnerable:

Check your Misskey version. If it's between 13.0.0-beta.16 and 2025.12.0 (exclusive), you are vulnerable.

Check Version:

Check the Misskey admin panel or run: cat /path/to/misskey/package.json | grep version

Verify Fix Applied:

After updating, verify the version is 2025.12.0 or later and test that unauthorized users cannot export posts from others' favorites/clips.

📡 Detection & Monitoring

Log Indicators:

Unusual export activity from users without proper permissions
Multiple export requests from single users
Export requests for other users' content

Network Indicators:

API calls to export endpoints without proper authorization headers
Unusual patterns in /api/clips/export or /api/favorites/export requests

SIEM Query:

source="misskey" AND (uri_path="/api/clips/export" OR uri_path="/api/favorites/export") AND user_id!=requested_user_id

📊 Metadata

CVE ID: CVE-2025-66402

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-862

EPSS Score: 0.04% exploit probability (11.2th percentile)

Published: December 16, 2025

Last Updated: January 6, 2026

🔗 References

https://github.com/misskey-dev/misskey/commit/dc77d59f8712d3fe0b73cd4af2035133839cd57b Patch
https://github.com/misskey-dev/misskey/security/advisories/GHSA-496g-mmpw-j9x3 Exploit,Vendor Advisory
https://github.com/misskey-dev/misskey/security/advisories/GHSA-496g-mmpw-j9x3 Exploit,Vendor Advisory