CVE-2025-46340 (GCVE-0-2025-46340)
Vulnerability from cvelistv5 – Published: 2025-05-05 18:35 – Updated: 2025-05-05 18:46
VLAI?
Summary
Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, due to an oversight in the validation performed in `UrlPreviewService` and `MkUrlPreview`, it is possible for an attacker to inject arbitrary CSS into the `MkUrlPreview` component. `UrlPreviewService.wrap` falls back to returning the original URL if it's using a protocol that is likely to not be understood by Misskey, IE something other than `http` or `https`. This both can de-anonymize users and_allow further attacks in the client. Additionally, `MkUrlPreview` doesn't escape CSS when applying a `background-image` property, allowing an attacker to craft a URL that applies arbitrary styles to the preview element. Theoretically, an attacker can craft a CSS injection payload to create a fake error message that can deceive the user into giving away their credentials or similar sensitive information. Version 2025.4.1 contains a patch for the issue.
Severity ?
7.2 (High)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| misskey-dev | misskey |
Affected:
>= 12.0.0, < 2025.4.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46340",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T18:46:31.860134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T18:46:57.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "misskey",
"vendor": "misskey-dev",
"versions": [
{
"status": "affected",
"version": "\u003e= 12.0.0, \u003c 2025.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, due to an oversight in the validation performed in `UrlPreviewService` and `MkUrlPreview`, it is possible for an attacker to inject arbitrary CSS into the `MkUrlPreview` component. `UrlPreviewService.wrap` falls back to returning the original URL if it\u0027s using a protocol that is likely to not be understood by Misskey, IE something other than `http` or `https`. This both can de-anonymize users and_allow further attacks in the client. Additionally, `MkUrlPreview` doesn\u0027t escape CSS when applying a `background-image` property, allowing an attacker to craft a URL that applies arbitrary styles to the preview element. Theoretically, an attacker can craft a CSS injection payload to create a fake error message that can deceive the user into giving away their credentials or similar sensitive information. Version 2025.4.1 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T18:35:37.852Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-3p2w-xmv5-jm95",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-3p2w-xmv5-jm95"
},
{
"name": "https://github.com/misskey-dev/misskey/commit/d10fdfe9738b17a9d81037c031b40a2cc4cb8038",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/misskey-dev/misskey/commit/d10fdfe9738b17a9d81037c031b40a2cc4cb8038"
}
],
"source": {
"advisory": "GHSA-3p2w-xmv5-jm95",
"discovery": "UNKNOWN"
},
"title": "Misskey CSS Style Injection Vulnerability In `MkUrlPreview`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46340",
"datePublished": "2025-05-05T18:35:37.852Z",
"dateReserved": "2025-04-22T22:41:54.912Z",
"dateUpdated": "2025-05-05T18:46:57.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-46340\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-05T19:15:56.627\",\"lastModified\":\"2025-09-03T18:47:53.703\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, due to an oversight in the validation performed in `UrlPreviewService` and `MkUrlPreview`, it is possible for an attacker to inject arbitrary CSS into the `MkUrlPreview` component. `UrlPreviewService.wrap` falls back to returning the original URL if it\u0027s using a protocol that is likely to not be understood by Misskey, IE something other than `http` or `https`. This both can de-anonymize users and_allow further attacks in the client. Additionally, `MkUrlPreview` doesn\u0027t escape CSS when applying a `background-image` property, allowing an attacker to craft a URL that applies arbitrary styles to the preview element. Theoretically, an attacker can craft a CSS injection payload to create a fake error message that can deceive the user into giving away their credentials or similar sensitive information. Version 2025.4.1 contains a patch for the issue.\"},{\"lang\":\"es\",\"value\":\"Misskey es una plataforma de redes sociales federada de c\u00f3digo abierto. A partir de la versi\u00f3n 12.0.0 y anteriores a la 2025.4.1, debido a un descuido en la validaci\u00f3n de `UrlPreviewService` y `MkUrlPreview`, un atacante puede inyectar CSS arbitrario en el componente `MkUrlPreview`. `UrlPreviewService.wrap` recurre a la URL original si utiliza un protocolo que probablemente Misskey no entienda, es decir, algo distinto de `http` o `https`. Esto puede desanonimizar a los usuarios y permitir futuros ataques en el cliente. Adem\u00e1s, `MkUrlPreview` no escapa el CSS al aplicar la propiedad `background-image`, lo que permite a un atacante manipular una URL que aplique estilos arbitrarios al elemento de vista previa. En teor\u00eda, un atacante puede crear un payload de inyecci\u00f3n de CSS para manipular un mensaje de error falso que pueda enga\u00f1ar al usuario para que revele sus credenciales o informaci\u00f3n confidencial similar. La versi\u00f3n 2025.4.1 contiene un parche para el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-116\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndExcluding\":\"2025.4.1\",\"matchCriteriaId\":\"CCAF6218-BAD3-4D8F-9199-A1C786D2B30E\"}]}]}],\"references\":[{\"url\":\"https://github.com/misskey-dev/misskey/commit/d10fdfe9738b17a9d81037c031b40a2cc4cb8038\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/misskey-dev/misskey/security/advisories/GHSA-3p2w-xmv5-jm95\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-46340\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-05T18:46:31.860134Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-05T18:46:41.032Z\"}}], \"cna\": {\"title\": \"Misskey CSS Style Injection Vulnerability In `MkUrlPreview`\", \"source\": {\"advisory\": \"GHSA-3p2w-xmv5-jm95\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"misskey-dev\", \"product\": \"misskey\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 12.0.0, \u003c 2025.4.1\"}]}], \"references\": [{\"url\": \"https://github.com/misskey-dev/misskey/security/advisories/GHSA-3p2w-xmv5-jm95\", \"name\": \"https://github.com/misskey-dev/misskey/security/advisories/GHSA-3p2w-xmv5-jm95\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/misskey-dev/misskey/commit/d10fdfe9738b17a9d81037c031b40a2cc4cb8038\", \"name\": \"https://github.com/misskey-dev/misskey/commit/d10fdfe9738b17a9d81037c031b40a2cc4cb8038\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, due to an oversight in the validation performed in `UrlPreviewService` and `MkUrlPreview`, it is possible for an attacker to inject arbitrary CSS into the `MkUrlPreview` component. `UrlPreviewService.wrap` falls back to returning the original URL if it\u0027s using a protocol that is likely to not be understood by Misskey, IE something other than `http` or `https`. This both can de-anonymize users and_allow further attacks in the client. Additionally, `MkUrlPreview` doesn\u0027t escape CSS when applying a `background-image` property, allowing an attacker to craft a URL that applies arbitrary styles to the preview element. Theoretically, an attacker can craft a CSS injection payload to create a fake error message that can deceive the user into giving away their credentials or similar sensitive information. Version 2025.4.1 contains a patch for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-116\", \"description\": \"CWE-116: Improper Encoding or Escaping of Output\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-05T18:35:37.852Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-46340\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-05T18:46:57.331Z\", \"dateReserved\": \"2025-04-22T22:41:54.912Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-05T18:35:37.852Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…