CVE-2025-66402
Unknown Unknown - Not Provided
Unauthorized Data Exposure in Misskey Favorites and Clips Export

Publication date: 2025-12-16

Last updated on: 2025-12-16

Assigner: GitHub, Inc.

Description
Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025.12.0, an actor who does not have permission to view favorites or clips can can export the posts and view the contents. Version 2025.12.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-14
NVD
CVE-2025-66402
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
misskey misskey 13.0.0-beta.16
misskey misskey 2025.12.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized users to access and export private post content without proper authorization, leading to unauthorized disclosure of private data. This kind of data exposure can negatively impact compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information to protect user privacy and confidentiality. [1]

Executive Summary

CVE-2025-66402 is a high-severity vulnerability in the Misskey social media platform where unauthorized users can export and view private posts that they do not have permission to see. Specifically, users without permission to view favorites or clips can add private posts (restricted to followers or direct recipients) to their favorites or clips and then export these collections, gaining access to the contents of these private posts. This happens due to missing authorization checks in the system, allowing low-privilege attackers to access private data without user interaction. [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of private post content on the Misskey platform. Attackers with low-privilege accounts can remotely exploit this issue without any user interaction, potentially exposing sensitive or private information that was intended only for followers or specific recipients. This compromises the confidentiality of user data and can damage user trust and privacy. [1]

Detection Guidance

This vulnerability can be detected by attempting to export favorites or clips from a low-privilege user account that does not have permission to view private posts. Specifically, create two accounts on the same Misskey server: have one account create private posts restricted to followers or nominated users, and have the other account add these posts to favorites or clips by referencing their URLs. Then, export the favorites or clips from the second account and check if the exported data includes the contents of the private posts, which should not be accessible. There are no specific commands provided, but this manual test simulates the proof of concept for the vulnerability. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Misskey to version 2025.12.0 or later, where the vulnerability is fixed. This version includes a new time-based note visibility filtering mechanism that properly enforces authorization checks and prevents unauthorized users from exporting private posts in favorites or clips. Until the upgrade, restrict access to exporting features and monitor user activities involving favorites and clips to reduce risk. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66402. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart