CVE-2024-25636

CVSS 3.1 Score 7.1 of 10 (high)

Details

Published Feb 19, 2024

Updated: Feb 20, 2024

CWE ID 434

Summary

CVE-2024-25636 is a vulnerability affecting the open source, decentralized social media platform Misskey before version 2024.2.0. This issue arises due to Misskey's failure to validate the `Content-Type` header when fetching remote Activity Streams objects. A threat actor can exploit this vulnerability by uploading a malicious Activity Streams document to a remote server that accepts arbitrary user uploads and serves the document with an Activity Streams media type. If the Misskey instance fetches the document in response to a request with an `Accept` header value of the Activity Streams media type, the attacker can impersonate and take over an account on the vulnerable server. With version 2024.2.0, Misskey has addressed this vulnerability through a patch.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Advisories, Assessments, and Mitigations

Back to Vulnerability Database