- Description
- Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, due to an oversight in the validation performed in `UrlPreviewService` and `MkUrlPreview`, it is possible for an attacker to inject arbitrary CSS into the `MkUrlPreview` component. `UrlPreviewService.wrap` falls back to returning the original URL if it's using a protocol that is likely to not be understood by Misskey, IE something other than `http` or `https`. This both can de-anonymize users and_allow further attacks in the client. Additionally, `MkUrlPreview` doesn't escape CSS when applying a `background-image` property, allowing an attacker to craft a URL that applies arbitrary styles to the preview element. Theoretically, an attacker can craft a CSS injection payload to create a fake error message that can deceive the user into giving away their credentials or similar sensitive information. Version 2025.4.1 contains a patch for the issue.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 7.2
- Impact score
- 2.7
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-20
- Hype score
- Not currently trending
๐จ CVE-2025-46340 ๐ด HIGH (7.2) ๐ข misskey-dev - misskey ๐๏ธ >= 12.0.0, < 2025.4.1 ๐ https://t.co/aaxd1koTSx ๐ https://t.co/aRRQuRu17H #CyberCron #VulnAlert #InfoSec https://t.co/dgYWUilIzc
@cybercronai
7 May 2025
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-46340 Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, due to an oversight in the validation performed โฆ https://t.co/NJEOKHhT8d
@CVEnew
5 May 2025
248 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes