CVE-2025-66482
Unknown Unknown - Not Provided
IP Rate Limiting Bypass in Misskey via Forged X-Forwarded-For Header

Publication date: 2025-12-16

Last updated on: 2025-12-16

Assigner: GitHub, Inc.

Description
Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (`trustProxy`) has been added in config file to prevent this from happening. However, it is initialized with an insecure default value before version 2025.12.0-alpha.2, making it still vulnerable if the configuration is not set correctly. This is patched in v2025.12.0-alpha.2 by flipping default value of `trustProxy` to `false`. Users of a trusted reverse proxy who are unsure if they manually overode this value should check their config for optimal behavior. Users are running Misskey with a trusted reverse proxy should not be affected by this vulnerability. From v2025.9.1 to v2025.11.1, workaround is available. Set `trustProxy: false` in config file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-14
NVD
CVE-2025-66482
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
misskey misskey 2025.9.1
misskey misskey 2025.12.0-alpha.2
misskey misskey 13.0.0-beta.16
misskey misskey 2025.12.0
misskey misskey 2025.11.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-66482 is a vulnerability in the Misskey social media platform where attackers can bypass IP-based login rate limiting by forging the X-Forwarded-For HTTP header. This happens when Misskey is used without a trusted reverse proxy or with an untrusted one, causing the application to trust the forged header and allowing attackers to evade rate limits and perform brute force login attacks. The issue arises because the application improperly handles client IP addresses in the authentication flow and has an insecure default configuration for the `trustProxy` setting before version 2025.12.0-alpha.2. The vulnerability is fixed by setting `trustProxy` to false by default, which disables trusting proxy headers unless explicitly configured otherwise. [1]

Impact Analysis

This vulnerability can allow attackers to bypass login rate limiting protections by spoofing the X-Forwarded-For header, enabling them to perform brute force attacks on user accounts. This can lead to compromised account integrity, unauthorized access, and potential misuse of user accounts. The impact includes low integrity and availability impacts but no confidentiality impact, with a moderate severity rating. [1]

Detection Guidance

You can detect this vulnerability by checking if your Misskey instance is vulnerable to login rate limit bypass via a spoofed X-Forwarded-For header. One way is to attempt sending a POST request to the /api/signin-flow endpoint with a forged X-Forwarded-For header and observe if rate limiting is bypassed. For example, using curl: curl -X POST https://your-misskey-instance/api/signin-flow -H "X-Forwarded-For: 1.2.3.4" -d '{"some":"data"}' and see if multiple attempts are allowed beyond the rate limit. Additionally, check your Misskey configuration file for the trustProxy setting; if it is set to true or not set (defaulting to true before v2025.12.0), your system is vulnerable. Also, verify if you are running behind a trusted reverse proxy. These checks help detect if the vulnerability is present. [1]

Mitigation Strategies

Immediate mitigation steps include: 1) If you are running Misskey versions from 2025.9.1 to 2025.11.1, manually set 'trustProxy: false' in your configuration file to disable trusting the X-Forwarded-For header. 2) Ensure that your Misskey instance is deployed behind a trusted reverse proxy to prevent attackers from forging the X-Forwarded-For header. 3) Upgrade your Misskey installation to version 2025.12.0 or later, where the default value of 'trustProxy' is set to false, fully patching the vulnerability. 4) Verify your configuration to confirm that 'trustProxy' is set correctly to avoid insecure defaults. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66482. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart