Description

Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in `Mk:api` allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. The missing validation allows malicious AiScript code to prefix a URL with `../` to step out of the `/api` directory, thereby being able to make requests to other endpoints, such as `/files`, `/url`, and `/proxy`. Version 2025.4.1 fixes the issue.

INFO

Published Date :

2025-05-05T18:38:36.144Z

Last Modified :

2025-05-05T18:44:52.723Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-46559 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-46559.

URL Resource
https://github.com/misskey-dev/misskey/commit/583df3ec63e25a1fd34def0dac13405396b8b663 cve-icon cve-icon
https://github.com/misskey-dev/misskey/security/advisories/GHSA-gmq6-738q-vjp2 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact