CVE-2025-66482
📋 TL;DR
This vulnerability allows attackers to bypass IP-based rate limiting in Misskey by forging X-Forwarded-For headers. It affects Misskey instances running versions 2025.9.1 through 2025.11.1 with default configurations, particularly those without a trusted reverse proxy or using untrusted proxies.
💻 Affected Systems
- Misskey
📦 What is this software?
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
Misskey by Misskey
⚠️ Risk & Real-World Impact
Worst Case
Attackers could perform unlimited brute-force attacks, credential stuffing, or denial-of-service by bypassing rate limits, potentially leading to account compromise or service disruption.
Likely Case
Attackers bypass rate limiting to perform automated attacks like spam posting, account enumeration, or API abuse at higher volumes than intended.
If Mitigated
With proper configuration (trustProxy: false or using trusted reverse proxy), IP rate limiting functions correctly, preventing header-based bypass attacks.
🎯 Exploit Status
Exploitation requires sending HTTP requests with forged X-Forwarded-For headers. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.12.0-alpha.2
Vendor Advisory: https://github.com/misskey-dev/misskey/security/advisories/GHSA-wwrj-3hvj-prpm
Restart Required: Yes
Instructions:
1. Update Misskey to version 2025.12.0-alpha.2 or later. 2. Restart the Misskey service. 3. Verify configuration if using reverse proxy.
🔧 Temporary Workarounds
Manual Configuration Fix
allSet trustProxy to false in Misskey configuration file to prevent header-based rate limit bypass
Edit config file (typically config.yml) and add/ensure: trustProxy: false
🧯 If You Can't Patch
- Deploy a trusted reverse proxy (like nginx, Apache) with proper X-Forwarded-For header validation
- Implement network-level rate limiting at firewall or load balancer
🔍 How to Verify
Check if Vulnerable:
Check config file for trustProxy setting. If running version 2025.9.1-2025.11.1 and trustProxy is not explicitly set to false, system is vulnerable.Check Version:
Check package.json or run: node -e "console.log(require('./package.json').version)" from Misskey directoryVerify Fix Applied:
After update, verify trustProxy is false in config and test rate limiting with forged X-Forwarded-For headers.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts from same IP with varying X-Forwarded-For headers
- Rate limit bypass logs if enabled
Network Indicators:
- HTTP requests with suspicious X-Forwarded-For header patterns
- High volume requests from single source IP
SIEM Query:
source="misskey" AND ("rate limit" OR "authentication failed") | stats count by src_ip, http_x_forwarded_for