CVE-2024-52593

Misskey is an open source, federated social media platform.In affected versions missing validation in `NoteCreateService.insertNote`, `ApPersonService.createPerson`, and `ApPersonService.updatePerson` allows an attacker to control the target of any "origin" links (such as the "view on remote instance" banner). Any HTTPS URL can be set, even if it belongs to a different domain than the note / user. Vulnerable Misskey instances will use the unverified URL for several clickable links, allowing an attacker to conduct phishing or other attacks against remote users. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:misskey:misskey::::::::
	cpe:2.3:a:misskey:misskey:2024.11.0:alpha0::::::
	cpe:2.3:a:misskey:misskey:2024.11.0:alpha1::::::
	cpe:2.3:a:misskey:misskey:2024.11.0:alpha2::::::

History

26 Nov 2025, 16:34

Type	Values Removed	Values Added
First Time		Misskey Misskey misskey
CPE		cpe:2.3:a:misskey:misskey:2024.11.0:alpha2:::::: cpe:2.3:a:misskey:misskey:2024.11.0:alpha1:::::: cpe:2.3:a:misskey:misskey:::::::: cpe:2.3:a:misskey:misskey:2024.11.0:alpha0::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
References	~~() https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj -~~	() https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj - Vendor Advisory

Information

Published : 2024-12-18 20:15

Updated : 2025-11-26 16:34

NVD link : CVE-2024-52593

Mitre link : CVE-2024-52593

CVE.ORG link : CVE-2024-52593

JSON object : View

Products Affected

misskey

misskey

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2024-52593", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-12-18T20:15:23.983", "references": [{"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Misskey is an open source, federated social media platform.In affected versions missing validation in `NoteCreateService.insertNote`, `ApPersonService.createPerson`, and `ApPersonService.updatePerson` allows an attacker to control the target of any \"origin\" links (such as the \"view on remote instance\" banner). Any HTTPS URL can be set, even if it belongs to a different domain than the note / user. Vulnerable Misskey instances will use the unverified URL for several clickable links, allowing an attacker to conduct phishing or other attacks against remote users. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Misskey es una plataforma de redes sociales federada de c\u00f3digo abierto. En las versiones afectadas, la falta de validaci\u00f3n en `NoteCreateService.insertNote`, `ApPersonService.createPerson` y `ApPersonService.updatePerson` permite a un atacante controlar el destino de cualquier enlace de \"origen\" (como el banner \"ver en instancia remota\"). Se puede configurar cualquier URL HTTPS, incluso si pertenece a un dominio diferente al de la nota/usuario. Las instancias vulnerables de Misskey utilizar\u00e1n la URL no verificada para varios enlaces en los que se puede hacer clic, lo que permite a un atacante realizar ataques de phishing u otros ataques contra usuarios remotos. Este problema se ha solucionado en la versi\u00f3n 2024.11.0-alpha.3. Se recomienda a los usuarios que actualicen. No existen workarounds conocidos para esta vulnerabilidad."}], "lastModified": "2025-11-26T16:34:54.117", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0FA13E34-3ADE-48E9-8518-A325D7AF5951", "versionEndExcluding": "2024.11.0", "versionStartIncluding": "12.29.0"}, {"criteria": "cpe:2.3:a:misskey:misskey:2024.11.0:alpha0:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1BF4BE35-2292-4FD3-BE70-1ECB93C759D5"}, {"criteria": "cpe:2.3:a:misskey:misskey:2024.11.0:alpha1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E74599B9-F76E-40E2-A2BC-297FBCD4114A"}, {"criteria": "cpe:2.3:a:misskey:misskey:2024.11.0:alpha2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "43BB14C6-8368-49E6-A1EF-6218C7ED998C"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}