Misskey IP Rate Limit Bypass Vulnerability via Spoofed X-Forwarded-For Header

A vulnerability in Misskey, an open-source federated social media platform, allows attackers to bypass IP rate limiting. This issue arises when an untrusted reverse proxy is used, or when no reverse proxy is employed at all. Attackers can manipulate the X-Forwarded-For header to forge their IP addresses, circumventing rate limits. While versions starting from 2025.9.1 include a configuration option to mitigate this issue, the default setting is insecure prior to version 2025.12.0-alpha.2. Users with a trusted reverse proxy should verify their configuration to ensure optimal settings.

Impact

Exploitation of this vulnerability allows attackers to bypass rate limiting measures, enabling them to brute force accounts more effectively.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/signin-flow' endpoint. Include a forged X-Forwarded-For header with multiple IP addresses. This will bypass the IP rate limit and allow for rapid account login attempts.

Remediation

Users should update Misskey to version 2025.12.0 or later, or configure their trusted reverse proxy to not trust forwarded IPs. For versions 2025.9.1 to 2025.11.1, set 'trustProxy: false' in the config file.