Misskey
Easy fix2 remedies
cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*
Easy fix2 remedies
- >= 12.109.0, < 2025.2.0-alpha.0
Misskey Cross-Site Request Forgery Vulnerability in Bull-Board API
Vulnerability
Patched
A cross-site request forgery (CSRF) vulnerability has been identified in Misskey, an open-source federated social media platform. This issue affects versions 12.109.0 prior to 2025.2.0-alpha.0. The vulnerability arises from inadequate CSRF protection and improper security attributes in the authentication cookies used for Bull's dashboard. As a result, some APIs of bull-board may be susceptible to CSRF attacks, potentially leading to significant disruptions in availability and integrity, such as the unauthorized addition of jobs.
Impact
Exploitation of this vulnerability could allow CSRF attacks on bull-board APIs, with the potential to add arbitrary jobs, thereby causing considerable disruption to availability and integrity.
Remediation
Users are advised to upgrade Misskey to version 2025.2.0 or later. Additionally, block all access to the '/queue' directory using a web application firewall (WAF).
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
2.2impact
0.6exploitability
7.2remediation
7.9relevance
0.0threat
3.2urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.