CVE-2025-25306 — AI Deep Analysis Summary

🚨 **Essence**: Misskey < 2025.2.1 fails to validate the relationship between `id` and `url` fields in ActivityPub objects.…

🛡️ **Root Cause**: **CWE-346** (Origin Validation Error). The system does not sufficiently verify that the `id` and `url` fields of an ActivityPub object match or are legitimately linked.…

👥 **Affected**: **misskey-dev/misskey**. Specifically, all versions **prior to 2025.2.1**. If you are running an older build, you are vulnerable. 📅 **Published**: 2025-03-10.

💀 **Attacker Capabilities**: Can **forge ActivityPub objects**. This compromises data integrity. While Confidentiality (C:L) is low, the ability to inject fake posts or identities is **High**.…

🔓 **Exploitation Threshold**: **LOW**. CVSS Vector: `AV:N/AC:L/PR:N/UI:N`. No Authentication (PR:N), No User Interaction (UI:N), Low Complexity (AC:L). It is easily exploitable over the network without credentials.

📦 **Public Exploit**: **No**. The `pocs` field is empty. No Proof of Concept or wild exploitation code is currently available in the provided data. However, the low CVSS complexity suggests it is easy to write one.

🔍 **Self-Check**: Scan for **Misskey** instances running version **< 2025.2.1**. Check the `id` vs `url` consistency in ActivityPub payloads if you have access to logs.…

✅ **Official Fix**: **YES**. Patched in version **2025.2.1**. 📎 **Reference**: [GitHub Advisory GHSA-6w2c-vf6f-xf26](https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26). Upgrade immediately!

🚧 **No Patch Workaround**: If you cannot upgrade, **disable external ActivityPub interactions** or strictly filter incoming objects. Validate `id` and `url` manually at the proxy level.…

🔥 **Urgency**: **HIGH**. Priority: **CRITICAL**. Due to `PR:N` (No Auth) and `I:H` (High Integrity), this is a severe threat to federated trust. Patch to **2025.2.1** or later ASAP. 🏃‍♂️💨