CVE-2025-25306
Published: 10 March 2025
Summary
CVE-2025-25306 is a critical-severity Origin Validation Error (CWE-346) vulnerability in Misskey Misskey. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of incoming ActivityPub object fields like id and url to ensure proper authority relationships, preventing forgery exploits.
Mandates timely identification, reporting, and patching of flaws like this incomplete validation fix in Misskey version 2025.2.1.
Enforces boundary protection by monitoring and validating communications at external interfaces, mitigating remote unauthenticated ActivityPub object forgery.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-25306 is an incomplete patch allowing unauthenticated remote exploitation of the public-facing Misskey web application to forge ActivityPub objects and federated notes.
NVD Description
Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the `id` and `url` fields of ActivityPub objects. An attacker can forge an object where they claim authority in the…
more
`url` field even if the specific ActivityPub object type require authority in the `id` field. Version 2025.2.1 addresses the issue.
Deeper analysisAI
CVE-2025-25306 is a vulnerability in Misskey, an open source, federated social media platform based on ActivityPub. The issue stems from an incomplete patch for the prior CVE-2024-52591, which failed to properly validate the relationship between the `id` and `url` fields in ActivityPub objects. This allows attackers to forge objects that claim authority via the `url` field, even for object types that require authority in the `id` field. Affected versions are those prior to 2025.2.1, with a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N) and associated CWEs including CWE-346 (Origin Validation Error), CWE-441 (Unintended Proxy or Intermediary), and CWE-1025 (Comparison Using Non-Equal Operators).
Unauthenticated attackers can exploit this remotely with low complexity and no user interaction, leveraging the federated nature of Misskey to send malicious ActivityPub objects from remote instances. Successful exploitation enables high integrity impacts, such as forging authoritative objects to impersonate entities or manipulate federated content, alongside low confidentiality effects, while scope changes amplify the consequences across instances.
Misskey version 2025.2.1 fully addresses the vulnerability through improved validation of `id` and `url` relations in ActivityPub objects. Security practitioners should update to this release immediately, as detailed in the official advisory (GHSA-6w2c-vf6f-xf26) and release notes (2025.2.1 tag).
Details
- CWE(s)