ghsa-wwrj-3hvj-prpm
Vulnerability from github
Published
2025-12-15 20:59
Modified
2025-12-20 02:26
Severity ?
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Summary
Misskey has a login rate limit bypass via spoofed X-Forwarded-For header
Details

Summary

When using an untrusted reverse proxy or not using a reverse proxy at all, attackers can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (trustProxy) has been added in config file to prevent this from happening. However, it is initialized with an insecure default value before version 2025.12.0, making it still vulnerable if the configuration is not set correctly.

Workaround

If you are running Misskey with a trusted reverse proxy, you should not be affected by this vulnerability.

  • There is no workaround for the Misskey itself. Please update Misskey to the latest version or set up a trusted reverse proxy.
  • From v2025.9.1 to v2025.11.1, workaround is available. Set trustProxy: false in config file.
  • This is patched in v2025.12.0 by flipping default value of trustProxy to false. If you are using trusted reverse proxy and not remember you manually overrided this value, please take time to check your config for optimal behavior.

Details

Fastify recommend not trusting X-Forwarded-For IPs Due to misconfiguration in https://github.com/misskey-dev/misskey/blob/develop/packages/backend/src/server/api/SigninApiService.ts#L94 attacks can spoof their IPs.

PoC

``` POST /api/signin-flow HTTP/1.1 Host: misskey.localhost:3123 Content-Length: 45 Content-Type: application/json Connection: keep-alive X-Forwarded-For: 127.1.1.31, 1.1.1.12

{"username":"admin", "password":"password"} ``` image

Impact

An attacker can brute force accounts bypassing rate limiting protection.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "misskey-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2025.9.1"
            },
            {
              "fixed": "2025.12.0-alpha.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66482"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-15T20:59:59Z",
    "nvd_published_at": "2025-12-16T00:16:02Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nWhen using an untrusted reverse proxy or not using a reverse proxy at all, attackers can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (`trustProxy`) has been added in config file to prevent this from happening. However, it is initialized with an insecure default value before version 2025.12.0, making it still vulnerable if the configuration is not set correctly.\n\n### Workaround\n\nIf you are running Misskey with a trusted reverse proxy, you should *not* be affected by this vulnerability.\n\n- There is no workaround for the Misskey itself. Please update Misskey to the latest version or set up a trusted reverse proxy.\n- From v2025.9.1 to v2025.11.1, workaround is available. Set `trustProxy: false` in config file.\n- This is patched in v2025.12.0 by flipping default value of `trustProxy` to `false`. If you are using trusted reverse proxy and not remember you manually overrided this value, please take time to check your config for optimal behavior.\n\n### Details\n[Fastify recommend not trusting X-Forwarded-For IPs](https://fastify.dev/docs/latest/Reference/Server/#trustproxy)\nDue to misconfiguration in https://github.com/misskey-dev/misskey/blob/develop/packages/backend/src/server/api/SigninApiService.ts#L94 attacks can spoof their IPs.\n\n### PoC\n\n```\nPOST /api/signin-flow HTTP/1.1\nHost: misskey.localhost:3123\nContent-Length: 45\nContent-Type: application/json\nConnection: keep-alive\nX-Forwarded-For: 127.1.1.31, 1.1.1.12\n\n{\"username\":\"admin\",\n\t\"password\":\"password\"}\n```\n![image](https://github.com/user-attachments/assets/ce9f77e2-b339-4081-86a6-d44ed42e9ca5)\n\n\n### Impact\nAn attacker can brute force accounts bypassing rate limiting protection.",
  "id": "GHSA-wwrj-3hvj-prpm",
  "modified": "2025-12-20T02:26:34Z",
  "published": "2025-12-15T20:59:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-wwrj-3hvj-prpm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66482"
    },
    {
      "type": "WEB",
      "url": "https://github.com/misskey-dev/misskey/commit/5512898463fa8487b9e6488912f35102b91f25f7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/misskey-dev/misskey"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Misskey has a login rate limit bypass via spoofed X-Forwarded-For header"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.