CVE-2025-66402
Unauthorized Data Exposure in Misskey Favorites and Clips Export
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| misskey | misskey | 13.0.0-beta.16 |
| misskey | misskey | 2025.12.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-66402 is a high-severity vulnerability in the Misskey social media platform where unauthorized users can export and view private posts that they do not have permission to see. Specifically, users without permission to view favorites or clips can add private posts (restricted to followers or direct recipients) to their favorites or clips and then export these collections, gaining access to the contents of these private posts. This happens due to missing authorization checks in the system, allowing low-privilege attackers to access private data without user interaction. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of private post content on the Misskey platform. Attackers with low-privilege accounts can remotely exploit this issue without any user interaction, potentially exposing sensitive or private information that was intended only for followers or specific recipients. This compromises the confidentiality of user data and can damage user trust and privacy. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to export favorites or clips from a low-privilege user account that does not have permission to view private posts. Specifically, create two accounts on the same Misskey server: have one account create private posts restricted to followers or nominated users, and have the other account add these posts to favorites or clips by referencing their URLs. Then, export the favorites or clips from the second account and check if the exported data includes the contents of the private posts, which should not be accessible. There are no specific commands provided, but this manual test simulates the proof of concept for the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Misskey to version 2025.12.0 or later, where the vulnerability is fixed. This version includes a new time-based note visibility filtering mechanism that properly enforces authorization checks and prevents unauthorized users from exporting private posts in favorites or clips. Until the upgrade, restrict access to exporting features and monitor user activities involving favorites and clips to reduce risk. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users to access and export private post content without proper authorization, leading to unauthorized disclosure of private data. This kind of data exposure can negatively impact compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information to protect user privacy and confidentiality. [1]