CVE-2025-46559 Overview
CVE-2025-46559 is a path traversal vulnerability [CWE-22] in Misskey, an open source federated social media platform. The flaw exists in the Mk:api function, which fails to validate URL paths supplied by AiScript code. Starting in version 12.31.0 and prior to version 2025.4.1, malicious AiScript code can prefix a URL with ../ to escape the /api directory. This grants the script access to unintended endpoints including /files, /url, and /proxy. The vulnerability affects the confidentiality of Misskey instances by exposing endpoints not designed for AiScript consumption. Version 2025.4.1 fixes the issue.
Critical Impact
Malicious AiScript code can break out of the /api namespace and reach internal endpoints such as /files, /url, and /proxy, enabling unauthorized data access on affected Misskey instances.
Affected Products
- Misskey versions 12.31.0 through versions prior to 2025.4.1
- Self-hosted Misskey federated social media instances
- Misskey deployments executing untrusted AiScript code
Discovery Timeline
- 2025-05-05 - CVE-2025-46559 published to NVD
- 2025-09-03 - Last updated in NVD database
Technical Details for CVE-2025-46559
Vulnerability Analysis
Misskey exposes a scripting environment called AiScript that lets users write custom client-side automation. The Mk:api function provides AiScript with a controlled bridge to the Misskey API surface under the /api path. The function is intended to constrain requests to that single namespace.
The implementation fails to sanitize relative path segments in the supplied URL argument. An attacker crafting AiScript code can pass values containing ../ sequences. These sequences traverse out of /api and reach sibling endpoints on the same origin. Endpoints affected include /files for media handling, /url for link preview generation, and /proxy for outbound content fetching.
The issue is classified as [CWE-22] Improper Limitation of a Pathname to a Restricted Directory. Exploitation requires no authentication or user interaction beyond loading a page or plugin that runs the malicious AiScript. The impact is limited to confidentiality, with no direct integrity or availability consequences according to the CVSS vector.
Root Cause
The root cause is missing input validation in the Mk:api handler. The function concatenates or forwards the AiScript-supplied path without normalizing or rejecting traversal sequences. Because the underlying HTTP client resolves ../ relative to /api, attacker-controlled input escapes the intended directory boundary.
Attack Vector
An attacker authors AiScript that calls Mk:api with a URL such as ../files or ../proxy/.... When a Misskey user or instance executes the script through a plugin, widget, or embedded content, the script issues authenticated requests to the unintended endpoints. The attacker can retrieve files, abuse the proxy for server-side request forwarding, or trigger URL preview operations the AiScript context should not control.
No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-gmq6-738q-vjp2 for vendor-provided technical detail.
Detection Methods for CVE-2025-46559
Indicators of Compromise
- HTTP request logs on Misskey backends showing requests to /api/../files, /api/../url, or /api/../proxy paths originating from AiScript user agents or session contexts.
- Unexpected access patterns to /files, /url, or /proxy endpoints from clients that should only be invoking /api routes.
- Installation or import of unfamiliar AiScript plugins, themes, or widgets shortly before anomalous endpoint traffic.
Detection Strategies
- Inspect reverse proxy and application logs for raw request URIs containing ../ sequences before normalization, which often indicate traversal attempts.
- Correlate AiScript execution events with outbound requests to non-/api endpoints from the same session.
- Audit user-submitted AiScript content for string literals containing ../, Mk:api, or references to /files, /proxy, or /url.
Monitoring Recommendations
- Enable verbose access logging on the Misskey reverse proxy and retain logs long enough to support retrospective analysis.
- Alert on spikes in traffic to /proxy and /files endpoints, especially from session tokens associated with regular API consumers.
- Monitor Misskey release channels and the Misskey GitHub repository for follow-up advisories.
How to Mitigate CVE-2025-46559
Immediate Actions Required
- Upgrade all Misskey instances to version 2025.4.1 or later, which contains the validation fix.
- Inventory installed AiScript plugins, themes, and widgets and remove any from untrusted authors until patching is complete.
- Review access logs for historical exploitation attempts against /files, /url, and /proxy endpoints.
Patch Information
The vendor fix is delivered in Misskey version 2025.4.1. The corrective code is published in commit 583df3ec63e25a1fd34def0dac13405396b8b663, which adds path validation in Mk:api to block traversal sequences. Administrators should follow the standard Misskey upgrade procedure and restart the service after deployment.
Workarounds
- Disable AiScript execution for untrusted users where the deployment supports it, until the upgrade is applied.
- Add a reverse proxy rule that rejects requests where the decoded path contains ../ sequences before reaching the Misskey backend.
- Restrict outbound network access from the Misskey /proxy endpoint at the network layer to limit secondary impact.
# Example nginx rule to block traversal attempts ahead of the Misskey backend
location /api/ {
if ($request_uri ~* "\.\./") {
return 400;
}
proxy_pass http://misskey_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
