CVE-2025-61775
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-13

Last updated on: 2025-10-14

Assigner: GitHub, Inc.

Description
Vickey is a Misskey-based microblogging platform. A vulnerability exists in Vickey prior to version 2025.10.0 where unexpired email confirmation links can be reused multiple times to send repeated confirmation emails to a verified email address. Under certain conditions, a verified email address could receive repeated confirmation messages if the verification link was accessed multiple times. This issue may result in unintended email traffic but does not expose user data. The issue was addressed in version 2025.10.0 by improving validation logic to ensure verification links behave as expected after completion.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-13
Last Modified
2025-10-14
Generated
2026-06-16
AI Q&A
2025-10-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61775
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vickey vickey 2025.10.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Vickey (prior to version 2025.10.0) allows unexpired email confirmation links to be reused multiple times to send repeated confirmation emails to a verified email address. The system does not properly invalidate or restrict the reuse of these confirmation links after their initial use, leading to unintended repeated email traffic. It does not expose user data but can cause resource consumption issues. [1]

Impact Analysis

The vulnerability can result in unintended repeated confirmation emails being sent to verified email addresses, which may cause resource consumption and potential denial of service due to uncontrolled resource usage. However, it does not compromise user data confidentiality. The impacts include low integrity and availability concerns due to unauthorized repeated actions and resource exhaustion. [1]

Detection Guidance

This vulnerability can be detected by monitoring for repeated use of the same email confirmation link resulting in multiple confirmation emails sent to a verified email address. Since the issue involves reuse of unexpired confirmation links, you can check your email server logs or application logs for repeated confirmation requests from the same link or token. Commands to detect this might include searching logs for repeated confirmation endpoint hits or repeated email sends to the same address within a short time frame. For example, using grep on server logs: grep 'confirmation' /var/log/app.log | grep '<email_address>' | uniq -c to count repeated confirmation attempts. However, no specific detection commands are provided in the resources. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the Vickey platform to version 2025.10.0 or later, where the issue has been fixed by improving validation logic to prevent reuse of email confirmation links after completion. No workarounds are available, so applying the official patch or update is necessary to address the vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61775. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart