CVE-2025-66482

EUVD-2025-203441

16.12.2025, 00:16

Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (`trustProxy`) has been added in config file to prevent this from happening. However, it is initialized with an insecure default value before version 2025.12.0-alpha.2, making it still vulnerable if the configuration is not set correctly. This is patched in v2025.12.0-alpha.2 by flipping default value of `trustProxy` to `false`. Users of a trusted reverse proxy who are unsure if they manually overode this value should check their config for optimal behavior. Users are running Misskey with a trusted reverse proxy should not be affected by this vulnerability. From v2025.9.1 to v2025.11.1, workaround is available. Set `trustProxy: false` in config file.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 22%

Affected Products (NVD)

Vendor	Product	Version
misskey	misskey	13.1.0 ≤ 𝑥 < 2025.12.0
misskey	misskey	13.0.0
misskey	misskey	13.0.0:beta16
misskey	misskey	13.0.0:beta21
misskey	misskey	13.0.0:beta22
misskey	misskey	13.0.0:beta23
misskey	misskey	13.0.0:beta24
misskey	misskey	13.0.0:beta25
misskey	misskey	13.0.0:beta26
misskey	misskey	13.0.0:beta27
misskey	misskey	13.0.0:beta28
misskey	misskey	13.0.0:beta29
misskey	misskey	13.0.0:beta30
misskey	misskey	13.0.0:beta31
misskey	misskey	13.0.0:beta32
misskey	misskey	13.0.0:beta33
misskey	misskey	13.0.0:beta34
misskey	misskey	13.0.0:beta35
misskey	misskey	13.0.0:beta36
misskey	misskey	13.0.0:beta37
misskey	misskey	13.0.0:beta38
misskey	misskey	13.0.0:beta39
misskey	misskey	13.0.0:beta40
misskey	misskey	13.0.0:beta41
misskey	misskey	13.0.0:beta42
misskey	misskey	13.0.0:beta43
misskey	misskey	13.0.0:rc1
misskey	misskey	13.0.0:rc10
misskey	misskey	13.0.0:rc11
misskey	misskey	13.0.0:rc2
misskey	misskey	13.0.0:rc3
misskey	misskey	13.0.0:rc4
misskey	misskey	13.0.0:rc5
misskey	misskey	13.0.0:rc6
misskey	misskey	13.0.0:rc7
misskey	misskey	13.0.0:rc8
misskey	misskey	13.0.0:rc9

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-307 - Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

References

https://github.com/misskey-dev/misskey/commit/5512898463fa8487b9e6488912f35102b91f25f7

https://github.com/misskey-dev/misskey/security/advisories/GHSA-wwrj-3hvj-prpm