CVE-2025-66402

Source
https://cve.org/CVERecord?id=CVE-2025-66402
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66402.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-66402
Aliases
Published
2025-12-15T23:09:57.681Z
Modified
2026-07-15T01:48:50.761566144Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
misskey.js's export data contains private post data
Details

Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025.12.0, an actor who does not have permission to view favorites or clips can can export the posts and view the contents. Version 2025.12.0 fixes the issue.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66402.json"
}
References

Affected packages

Git / github.com/misskey-dev/misskey

Affected ranges

Type
GIT
Repo
https://github.com/misskey-dev/misskey
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "13.1.0"
        },
        {
            "fixed": "2025.12.0"
        },
        {
            "introduced": "13.0.0-NA"
        },
        {
            "last_affected": "13.0.0-NA"
        }
    ],
    "cpe": [
        "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:misskey:misskey:13.0.0:-:*:*:*:*:*:*"
    ]
}

Affected versions

13.*
13.0.0-NA

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66402.json"