Misskey CSS Injection Vulnerability in URL Preview Component

A CSS injection vulnerability has been identified in the Misskey social media platform, affecting versions 12.0.0 through 2025.4.1. The issue arises from inadequate validation in the 'UrlPreviewService' and 'MkUrlPreview' components, allowing attackers to inject arbitrary CSS. The 'UrlPreviewService.wrap' method improperly handles URLs with unrecognized protocols, which can de-anonymize users and facilitate further client-side attacks. Moreover, the 'MkUrlPreview' component fails to properly escape CSS in 'background-image' properties, enabling the application of malicious styles to preview elements. Exploitation could involve creating a fake error message to trick users into revealing sensitive information, such as credentials.

Impact

Successful exploitation allows for arbitrary CSS injection, which can be used to manipulate the appearance of elements within the application, potentially leading to phishing attacks or other social engineering tactics.

Reproduction

To reproduce this vulnerability, host an HTML page with a 'twitter:image' Open Graph attribute pointing to an FTP URL crafted to include CSS injection payloads. Then, create a note linking to this page. When the note is rendered, the injected CSS will be applied, demonstrating the vulnerability.

Remediation

Users can update to Misskey version 2025.4.1 or later, where this vulnerability has been patched.