CVE-2025-25306

CVE-2025-25306 is a vulnerability in Misskey, an open source, federated social media platform based on ActivityPub. The issue stems from an incomplete patch for the prior CVE-2024-52591, which failed to properly validate the relationship between the `id` and `url` fields in ActivityPub objects. This allows attackers to forge objects that claim authority via the `url` field, even for object types that require authority in the `id` field. Affected versions are those prior to 2025.2.1, with a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N) and associated CWEs including CWE-346 (Origin Validation Error), CWE-441 (Unintended Proxy or Intermediary), and CWE-1025 (Comparison Using Non-Equal Operators).

Unauthenticated attackers can exploit this remotely with low complexity and no user interaction, leveraging the federated nature of Misskey to send malicious ActivityPub objects from remote instances. Successful exploitation enables high integrity impacts, such as forging authoritative objects to impersonate entities or manipulate federated content, alongside low confidentiality effects, while scope changes amplify the consequences across instances.

Misskey version 2025.2.1 fully addresses the vulnerability through improved validation of `id` and `url` relations in ActivityPub objects. Security practitioners should update to this release immediately, as detailed in the official advisory (GHSA-6w2c-vf6f-xf26) and release notes (2025.2.1 tag).