CVE-2024-25636

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-25636

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-25636.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-25636

Aliases

GHSA-qqrm-9grj-6v32

Published

2024-02-19T19:42:20.688Z

Modified

2026-04-10T05:10:16.273408Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N CVSS Calculator

Summary

Lack of media type verification of Activity Streams objects allows impersonation and takeover of remote accounts

Details

Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a Content-Type header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an Accept header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-434"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/25xxx/CVE-2024-25636.json"
}

References

Affected packages

Git / github.com/misskey-dev/misskey

Affected ranges

Type: GIT
Repo: https://github.com/misskey-dev/misskey
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

96c7c85ad008a71fb03198a708c8531aacbb39e0

Affected versions

0.*

0.0.5018

0.0.5023

0.0.5030

0.0.5042

0.0.5051

0.0.5064

0.0.5074

0.0.5089

1.*

1.0.0

1.1.0

1.2.0

1.3.0

1.4.0

1.5.0

1.6.0

1.7.0

10.*

10.0.0

10.1.0

10.10.0

10.10.1

10.11.0

10.11.1

10.12.0

10.12.1

10.13.0

10.14.0

10.15.0

10.16.0

10.17.0

10.18.0

10.19.0

10.2.0

10.2.1

10.20.0

10.21.0

10.21.1

10.21.2

10.21.3

10.22.0

10.22.1

10.23.0

10.23.1

10.24.0

10.25.0

10.26.0

10.27.0

10.28.0

10.29.0

10.29.1

10.3.0

10.30.0

10.30.1

10.30.2

10.30.3

10.31.0

10.32.0

10.33.0

10.34.0

10.35.0

10.35.1

10.36.0

10.36.1

10.37.0

10.38.0

10.38.1

10.38.2

10.38.3

10.38.4

10.38.5

10.38.6

10.38.7

10.38.8

10.39.0

10.39.1

10.4.0

10.40.0

10.40.1

10.41.0

10.42.0

10.42.2

10.43.0

10.43.1

10.44.0

10.44.1

10.44.2

10.45.0

10.46.0

10.46.1

10.46.2

10.47.0

10.48.0

10.48.1

10.49.0

10.49.1

10.49.2

10.49.3

10.49.4

10.49.5

10.49.6

10.49.7

10.5.0

10.50.0

10.51.0

10.51.1

10.51.2

10.52.0

10.53.0

10.54.0

10.55.0

10.56.0

10.56.1

10.56.2

10.57.0

10.57.1

10.57.2

10.57.3

10.58.0

10.58.1

10.58.2

10.59.0

10.59.1

10.59.2

10.59.3

10.59.4

10.6.0

10.60.0

10.60.1

10.60.2

10.60.3

10.60.4

10.61.0

10.62.0

10.62.1

10.62.2

10.63.0

10.63.1

10.64.0

10.64.1

10.64.2

10.65.0

10.66.0

10.66.1

10.66.2

10.67.0

10.68.0

10.69.0

10.7.0

10.7.1

10.7.2

10.70.0

10.70.1

10.71.0

10.72.0

10.73.0

10.74.0

10.75.0

10.76.0

10.77.0

10.78.0

10.78.1

10.78.2

10.78.3

10.78.4

10.78.5

10.79.0

10.79.1

10.8.0

10.80.0

10.81.0

10.82.0

10.82.1

10.82.2

10.82.3

10.82.4

10.83.0

10.84.0

10.84.1

10.84.2

10.85.0

10.85.1

10.85.2

10.86.0

10.86.1

10.86.2

10.87.0

10.87.1

10.87.2

10.87.3

10.87.4

10.87.5

10.88.0

10.89.0

10.89.1

10.9.0

10.9.1

10.9.2

10.90.0

10.90.1

10.90.2

10.90.3

10.90.4

10.91.0

10.91.1

10.91.2

10.92.0

10.92.1

10.92.2

10.92.3

10.92.4

10.93.0

10.93.1

10.94.0

10.95.0

10.96.0

10.97.0

10.97.1

10.97.2

10.98.0

10.98.1

10.98.2

10.98.3

10.99.0

11.*

11.0.0-alpha.1

11.0.0-alpha.10

11.0.0-alpha.2

11.0.0-alpha.3

11.0.0-alpha.4

11.0.0-alpha.5

11.0.0-alpha.6

11.0.0-alpha.7

11.0.0-alpha.8

11.0.0-beta.1

11.0.0-beta.10

11.0.0-beta.11

11.0.0-beta.12

11.0.0-beta.13

11.0.0-beta.14

11.0.0-beta.15

11.0.0-beta.16

11.0.0-beta.2

11.0.0-beta.3

11.0.0-beta.4

11.0.0-beta.5

11.0.0-beta.6

11.0.0-beta.7

11.0.0-beta.8

11.0.0-beta.9

11.26.1

11.26.2

11.27.0

11.27.1

11.28.0

11.28.1

11.28.2

11.29.0

11.30.0

11.31.0

11.31.1

11.31.2

11.31.3

11.31.4

11.32.0

11.33.0

11.34.0

11.35.0

11.35.1

11.36.0

11.37.0

11.37.1

12.*

12.0.0

12.1.0

12.10.0

12.100.0

12.100.1

12.100.2

12.101.0

12.101.1

12.102.0

12.102.1

12.103.0

12.103.1

12.104.0

12.105.0

12.106.0

12.106.1

12.106.2

12.106.3

12.107.0

12.108.0

12.108.1

12.109.0

12.109.1

12.109.2

12.11.0

12.110.0

12.110.1

12.111.0

12.111.1

12.112.0

12.112.1

12.112.2

12.112.3

12.113.0

12.114.0

12.115.0

12.116.0

12.116.1

12.117.0

12.117.1

12.118.0

12.118.1

12.119.0

12.119.1

12.12.0

12.13.0

12.14.0

12.15.0

12.16.0

12.17.0

12.18.0

12.18.1

12.19.0

12.2.0

12.20.0

12.21.0

12.29.0

12.3.0

12.30.0

12.31.0

12.32.0

12.33.0

12.34.0

12.35.0

12.35.1

12.35.2

12.36.0

12.36.1

12.37.0

12.38.0

12.38.1

12.39.0

12.39.1

12.4.0

12.4.1

12.40.0

12.41.0

12.41.1

12.41.2

12.41.3

12.42.0

12.43.0

12.44.0

12.44.1

12.45.0

12.45.1

12.46.0

12.47.0

12.47.1

12.48.0

12.48.1

12.48.2

12.48.3

12.49.0

12.49.1

12.5.0

12.50.0

12.51.0

12.52.0

12.53.0

12.54.0

12.55.0

12.56.0

12.57.0

12.57.1

12.57.4

12.58.0

12.59.0

12.6.0

12.60.0

12.60.1

12.61.0

12.61.1

12.62.0

12.62.1

12.62.2

12.63.0

12.64.0

12.64.1

12.64.2

12.65.0

12.65.1

12.65.2

12.65.3

12.65.4

12.65.5

12.65.6

12.65.7

12.66.0

12.67.0

12.67.1

12.68.0

12.69.0

12.7.0

12.7.1

12.70.0

12.71.0

12.72.0

12.73.0

12.74.0

12.74.1

12.75.0

12.75.1

12.76.0

12.76.1

12.77.0

12.77.1

12.78.0

12.79.0

12.79.1

12.79.2

12.79.3

12.8.0

12.80.0

12.80.1

12.80.2

12.80.3

12.81.0

12.81.1

12.81.2

12.82.0

12.83.0

12.84.0

12.84.1

12.84.2

12.84.3

12.85.0

12.85.1

12.86.0

12.87.0

12.88.0

12.89.0

12.89.1

12.89.2

12.9.0

12.90.0

12.90.1

12.91.0

12.92.0

12.93.0

12.93.1

12.93.2

12.94.0

12.94.1

12.95.0

12.96.0

12.96.1

12.97.0

12.97.1

12.98.0

12.99.0

12.99.1

12.99.2

12.99.3

13.*

13.0.0

13.1.0

13.1.1

13.1.2

13.1.3

13.1.4

13.1.5

13.1.6

13.1.7

13.1.8

13.10.0

13.10.1

13.10.2

13.10.3

13.11.0

13.11.1

13.11.2

13.11.3

13.12.0

13.12.1

13.12.2

13.13.0

13.13.1

13.13.2

13.14.0

13.14.1

13.14.2

13.2.0

13.2.1

13.2.2

13.2.3

13.2.4

13.2.5

13.2.6

13.3.0

13.3.1

13.3.2

13.3.3

13.3.4

13.4.0

13.5.0

13.5.1

13.5.2

13.5.3

13.5.4

13.5.5

13.5.6

13.6.0

13.6.1

13.7.0

13.7.1

13.7.2

13.7.3

13.7.4

13.7.5

13.8.0

13.8.1

13.9.0

13.9.1

13.9.2

2.*

2.0.0

2.1.1

2.1.2

2.1.3

2.1.4

2.10.0

2.10.1

2.11.0

2.12.0

2.13.0

2.14.0

2.15.0

2.16.0

2.16.1

2.16.2

2.16.3

2.16.4

2.16.5

2.16.6

2.16.7

2.16.8

2.17.0

2.18.0

2.18.2

2.19.0

2.2.0

2.20.0

2.20.1

2.21.0

2.21.1

2.22.0

2.22.1

2.22.2

2.22.3

2.23.0

2.24.0

2.24.1

2.24.2

2.25.1

2.25.2

2.27.3

2.29.0

2.29.1

2.3.0

2.3.1

2.30.0

2.30.1

2.31.0

2.32.0

2.33.0

2.33.1

2.34.0

2.34.1

2.34.3

2.35.1

2.35.2

2.35.3

2.36.1

2.37.1

2.37.2

2.37.3

2.37.4

2.37.5

2.37.6

2.37.7

2.38.2

2.38.3

2.4.0

2.40.0

2.40.1

2.41.1

2.42.0

2.5.0

2.6.2

2.7.1

2.9.0

2.9.1

2023.*

2023.10.0

2023.10.1

2023.10.2

2023.11.0

2023.11.1

2023.12.0

2023.12.1

2023.12.2

2023.9.0

2023.9.1

2023.9.2

2023.9.3

3.*

3.0.1

3.1.0

3.1.1

4.*

4.10.0

4.11.0

4.12.0

4.13.0

4.14.0

4.15.0

4.17.1

4.19.1

4.2.0

4.20.0

4.22.1

4.23.1

4.24.1

4.25.0

4.26.0

4.3.0

4.3.1

4.5.0

4.7.0

4.7.1

4.9.0

5.*

5.0.0

5.1.0

5.10.0

5.11.0

5.12.0

5.13.0

5.13.1

5.13.2

5.14.0

5.15.0

5.16.0

5.17.0

5.18.0

5.19.0

5.20.0

5.20.1

5.21.0

5.22.0

5.22.1

5.23.0

5.23.1

5.23.2

5.24.0

5.24.1

5.25.0

5.3.0

5.4.0

5.5.0

5.6.1

5.6.2

6.*

6.0.0

6.0.1

6.0.2

6.1.0

6.2.0

6.3.0

6.4.0

6.4.1

7.*

7.0.0

7.0.2

7.1.0

7.1.1

7.1.2

7.2.0

7.3.0

8.*

8.17.0

8.18.0

8.19.0

8.19.1

8.20.0

8.21.0

8.23.0

8.24.0

8.25.0

8.26.0

8.27.0

8.28.0

8.28.1

8.29.0

8.30.0

8.31.0

8.32.0

8.33.0

8.34.0

8.34.1

8.34.2

8.34.3

8.34.4

8.35.0

8.36.0

8.37.0

8.38.0

8.39.0

8.40.0

8.41.0

8.42.0

8.43.0

8.44.0

8.44.1

8.45.0

8.45.1

8.46.0

8.47.0

8.48.0

8.49.0

8.5.1

8.50.0

8.51.0

8.52.0

8.53.0

8.54.0

8.55.0

8.56.0

8.57.0

8.57.1

8.58.0

8.59.0

8.60.0

8.61.0

8.62.0

8.63.0

8.64.0

9.*

9.0.0

9.1.0

9.2.0

9.3.0

9.3.1

9.4.0

9.5.0

9.6.0

9.7.0

9.7.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-25636.json"

Git / github.com/syuilo/misskey