CVE-2024-32983

8.2 HIGH
Published: June 03, 2024 Modified: November 25, 2025
View on NVD

Description

Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88
Source: security-advisories@github.com
Patch
https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj
Source: security-advisories@github.com
Exploit Vendor Advisory
https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Vendor Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.2 / 10.0
EPSS (Exploit Probability)
0.3%
51th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-863

Affected Vendors

misskey

Related CVEs

CVE-2025-69261 N/A
CVE-2025-69257 6.7
CVE-2025-69210 N/A
CVE-2025-66823 N/A
CVE-2025-50343 N/A