CVE-2024-49363
Published: 18 December 2024
Summary
CVE-2024-49363 is a high-severity Amplification (CWE-405) vulnerability. Its CVSS base score is 7.4 (High).
Operationally, ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-43810
Vulnerability details
Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted…
more
note. FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request. Leading to unbounded recursion until the original request is timed out. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. Users unable to upgrade may configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Supports resumption at alternate site when uncontrolled recursion causes primary site failure or crash.
Employs controls that mitigate amplification attacks causing asymmetric resource use.
Alternate services reduce the impact of amplification attacks that exhaust primary telecommunications resources.
Amplification attacks that exhaust the primary path are mitigated by the existence of an independent alternate path for command traffic.
Limits amplification effects by controlling how resources are allocated under high-volume or recursive load.