Description

Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (`trustProxy`) has been added in config file to prevent this from happening. However, it is initialized with an insecure default value before version 2025.12.0-alpha.2, making it still vulnerable if the configuration is not set correctly. This is patched in v2025.12.0-alpha.2 by flipping default value of `trustProxy` to `false`. Users of a trusted reverse proxy who are unsure if they manually overode this value should check their config for optimal behavior. Users are running Misskey with a trusted reverse proxy should not be affected by this vulnerability. From v2025.9.1 to v2025.11.1, workaround is available. Set `trustProxy: false` in config file.

INFO

Published Date :

2025-12-15T23:18:37.295Z

Last Modified :

2025-12-16T15:09:19.925Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66482 vulnerability.

Vendors Products
Misskey
  • Misskey
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66482.

URL Resource
https://github.com/misskey-dev/misskey/commit/5512898463fa8487b9e6488912f35102b91f25f7 cve-icon cve-icon
https://github.com/misskey-dev/misskey/security/advisories/GHSA-wwrj-3hvj-prpm cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability