CVE-2024-52593

Misskey is an open source, federated social media platform.In affected versions missing validation in `NoteCreateService.insertNote`, `ApPersonService.createPerson`, and `ApPersonService.updatePerson` allows an attacker to control the target of any "origin" links (such as the "view on remote instance" banner). Any HTTPS URL can be set, even if it belongs to a different domain than the note / user. Vulnerable Misskey instances will use the unverified URL for several clickable links, allowing an attacker to conduct phishing or other attacks against remote users. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:misskey:misskey::::::::
	cpe:2.3:a:misskey:misskey:2024.11.0:alpha0::::::
	cpe:2.3:a:misskey:misskey:2024.11.0:alpha1::::::
	cpe:2.3:a:misskey:misskey:2024.11.0:alpha2::::::

History

26 Nov 2025, 16:34

Type	Values Removed	Values Added
CPE		cpe:2.3:a:misskey:misskey:2024.11.0:alpha1:::::: cpe:2.3:a:misskey:misskey:2024.11.0:alpha0:::::: cpe:2.3:a:misskey:misskey:::::::: cpe:2.3:a:misskey:misskey:2024.11.0:alpha2::::::
First Time		Misskey misskey Misskey
References	~~() https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj -~~	() https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
Summary		(es) Misskey es una plataforma de redes sociales federada de código abierto. En las versiones afectadas, la falta de validación en `NoteCreateService.insertNote`, `ApPersonService.createPerson` y `ApPersonService.updatePerson` permite a un atacante controlar el destino de cualquier enlace de "origen" (como el banner "ver en instancia remota"). Se puede configurar cualquier URL HTTPS, incluso si pertenece a un dominio diferente al de la nota/usuario. Las instancias vulnerables de Misskey utilizarán la URL no verificada para varios enlaces en los que se puede hacer clic, lo que permite a un atacante realizar ataques de phishing u otros ataques contra usuarios remotos. Este problema se ha solucionado en la versión 2024.11.0-alpha.3. Se recomienda a los usuarios que actualicen. No existen workarounds conocidos para esta vulnerabilidad.

18 Dec 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-18 20:15

Updated : 2025-11-26 16:34

NVD link : CVE-2024-52593

Mitre link : CVE-2024-52593

CVE.ORG link : CVE-2024-52593

JSON object : View

Products Affected

misskey

misskey

CWE

CWE-20

Improper Input Validation

5.3 /10