Vulnerability Details CVE-2025-46559
Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in `Mk:api` allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. The missing validation allows malicious AiScript code to prefix a URL with `../` to step out of the `/api` directory, thereby being able to make requests to other endpoints, such as `/files`, `/url`, and `/proxy`. Version 2025.4.1 fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 12.8%
CVSS Severity
CVSS v3 Score 5.4
References
Products affected by CVE-2025-46559
-
cpe:2.3:a:misskey:misskey:12.31.0
-
cpe:2.3:a:misskey:misskey:12.32.0
-
cpe:2.3:a:misskey:misskey:12.33.0
-
cpe:2.3:a:misskey:misskey:12.34.0
-
cpe:2.3:a:misskey:misskey:12.35.0
-
cpe:2.3:a:misskey:misskey:12.35.1
-
cpe:2.3:a:misskey:misskey:12.35.2
-
cpe:2.3:a:misskey:misskey:12.36.0
-
cpe:2.3:a:misskey:misskey:12.36.1
-
cpe:2.3:a:misskey:misskey:12.37.0
-
cpe:2.3:a:misskey:misskey:12.38.0
-
cpe:2.3:a:misskey:misskey:12.38.1
-
cpe:2.3:a:misskey:misskey:12.39.0
-
cpe:2.3:a:misskey:misskey:12.39.1
-
cpe:2.3:a:misskey:misskey:12.40.0
-
cpe:2.3:a:misskey:misskey:12.41.0
-
cpe:2.3:a:misskey:misskey:12.41.1
-
cpe:2.3:a:misskey:misskey:12.41.2
-
cpe:2.3:a:misskey:misskey:12.41.3
-
cpe:2.3:a:misskey:misskey:12.42.0
-
cpe:2.3:a:misskey:misskey:12.43.0
-
cpe:2.3:a:misskey:misskey:12.44.0
-
cpe:2.3:a:misskey:misskey:12.44.1
-
cpe:2.3:a:misskey:misskey:12.45.0
-
cpe:2.3:a:misskey:misskey:12.45.1
-
cpe:2.3:a:misskey:misskey:12.46.0
-
cpe:2.3:a:misskey:misskey:12.47.0
-
cpe:2.3:a:misskey:misskey:12.47.1
-
cpe:2.3:a:misskey:misskey:12.48.0
-
cpe:2.3:a:misskey:misskey:12.48.1
-
cpe:2.3:a:misskey:misskey:12.48.2
-
cpe:2.3:a:misskey:misskey:12.48.3
-
cpe:2.3:a:misskey:misskey:12.49.0
-
cpe:2.3:a:misskey:misskey:12.49.1
-
cpe:2.3:a:misskey:misskey:12.50.0
-
cpe:2.3:a:misskey:misskey:12.51.0
-
cpe:2.3:a:misskey:misskey:12.52.0
-
cpe:2.3:a:misskey:misskey:12.53.0
-
cpe:2.3:a:misskey:misskey:12.54.0
-
cpe:2.3:a:misskey:misskey:12.55.0
-
cpe:2.3:a:misskey:misskey:12.56.0
-
cpe:2.3:a:misskey:misskey:12.57.0
-
cpe:2.3:a:misskey:misskey:12.57.1
-
cpe:2.3:a:misskey:misskey:12.57.4
-
cpe:2.3:a:misskey:misskey:12.58.0
-
cpe:2.3:a:misskey:misskey:12.59.0
-
cpe:2.3:a:misskey:misskey:12.60.0
-
cpe:2.3:a:misskey:misskey:12.60.1
-
cpe:2.3:a:misskey:misskey:12.61.0
-
cpe:2.3:a:misskey:misskey:12.61.1
-
cpe:2.3:a:misskey:misskey:12.62.0
-
cpe:2.3:a:misskey:misskey:12.62.1
-
cpe:2.3:a:misskey:misskey:12.62.2
-
cpe:2.3:a:misskey:misskey:12.63.0
-
cpe:2.3:a:misskey:misskey:12.64.0
-
cpe:2.3:a:misskey:misskey:12.64.1
-
cpe:2.3:a:misskey:misskey:12.64.2
-
cpe:2.3:a:misskey:misskey:12.65.0
-
cpe:2.3:a:misskey:misskey:12.65.1
-
cpe:2.3:a:misskey:misskey:12.65.2
-
cpe:2.3:a:misskey:misskey:12.65.3
-
cpe:2.3:a:misskey:misskey:12.65.4
-
cpe:2.3:a:misskey:misskey:12.65.5
-
cpe:2.3:a:misskey:misskey:12.65.6
-
cpe:2.3:a:misskey:misskey:12.65.7
-
cpe:2.3:a:misskey:misskey:12.66.0
-
cpe:2.3:a:misskey:misskey:12.67.0
-
cpe:2.3:a:misskey:misskey:12.67.1
-
cpe:2.3:a:misskey:misskey:12.68.0
-
cpe:2.3:a:misskey:misskey:12.69.0
-
cpe:2.3:a:misskey:misskey:12.70.0
-
cpe:2.3:a:misskey:misskey:12.71.0
-
cpe:2.3:a:misskey:misskey:12.72.0
-
cpe:2.3:a:misskey:misskey:12.73.0
-
cpe:2.3:a:misskey:misskey:12.74.0
-
cpe:2.3:a:misskey:misskey:12.74.1
-
cpe:2.3:a:misskey:misskey:12.75.0
-
cpe:2.3:a:misskey:misskey:12.75.1
-
cpe:2.3:a:misskey:misskey:12.76.0
-
cpe:2.3:a:misskey:misskey:12.76.1
-
cpe:2.3:a:misskey:misskey:12.77.0
-
cpe:2.3:a:misskey:misskey:12.77.1
-
cpe:2.3:a:misskey:misskey:12.78.0
-
cpe:2.3:a:misskey:misskey:12.79.0
-
cpe:2.3:a:misskey:misskey:12.79.1
-
cpe:2.3:a:misskey:misskey:12.79.2
-
cpe:2.3:a:misskey:misskey:12.79.3
-
cpe:2.3:a:misskey:misskey:12.80.0
-
cpe:2.3:a:misskey:misskey:12.80.1
-
cpe:2.3:a:misskey:misskey:12.80.2
-
cpe:2.3:a:misskey:misskey:12.80.3
-
cpe:2.3:a:misskey:misskey:12.81.0
-
cpe:2.3:a:misskey:misskey:12.81.1
-
cpe:2.3:a:misskey:misskey:12.81.2
-
cpe:2.3:a:misskey:misskey:12.82.0
-
cpe:2.3:a:misskey:misskey:12.83.0
-
cpe:2.3:a:misskey:misskey:12.84.0
-
cpe:2.3:a:misskey:misskey:12.84.1
-
cpe:2.3:a:misskey:misskey:12.84.2
-
cpe:2.3:a:misskey:misskey:12.84.3
-
cpe:2.3:a:misskey:misskey:12.85.0
-
cpe:2.3:a:misskey:misskey:12.85.1
-
cpe:2.3:a:misskey:misskey:12.86.0
-
cpe:2.3:a:misskey:misskey:12.87.0
-
cpe:2.3:a:misskey:misskey:12.88.0
-
cpe:2.3:a:misskey:misskey:12.89.0
-
cpe:2.3:a:misskey:misskey:12.89.1
-
cpe:2.3:a:misskey:misskey:12.89.2
-
cpe:2.3:a:misskey:misskey:12.90.0
-
cpe:2.3:a:misskey:misskey:12.90.1
-
cpe:2.3:a:misskey:misskey:2023.10.0
-
cpe:2.3:a:misskey:misskey:2023.10.1
-
cpe:2.3:a:misskey:misskey:2023.10.2
-
cpe:2.3:a:misskey:misskey:2023.11.0
-
cpe:2.3:a:misskey:misskey:2023.11.1
-
cpe:2.3:a:misskey:misskey:2023.12.0
-
cpe:2.3:a:misskey:misskey:2023.12.1
-
cpe:2.3:a:misskey:misskey:2023.12.2
-
cpe:2.3:a:misskey:misskey:2023.9.0
-
cpe:2.3:a:misskey:misskey:2023.9.1
-
cpe:2.3:a:misskey:misskey:2023.9.2
-
cpe:2.3:a:misskey:misskey:2023.9.3
-
cpe:2.3:a:misskey:misskey:2024.10.0
-
cpe:2.3:a:misskey:misskey:2024.10.1
-
cpe:2.3:a:misskey:misskey:2024.10.2
-
cpe:2.3:a:misskey:misskey:2024.11.0
-
cpe:2.3:a:misskey:misskey:2024.11.1
-
cpe:2.3:a:misskey:misskey:2024.2.0
-
cpe:2.3:a:misskey:misskey:2024.3.0
-
cpe:2.3:a:misskey:misskey:2024.3.1
-
cpe:2.3:a:misskey:misskey:2024.5.0
-
cpe:2.3:a:misskey:misskey:2024.7.0
-
cpe:2.3:a:misskey:misskey:2024.8.0
-
cpe:2.3:a:misskey:misskey:2024.9.0
-
cpe:2.3:a:misskey:misskey:2025.1.0
-
cpe:2.3:a:misskey:misskey:2025.2.0