CVE-2024-52579 MEDIUM

CVE-2024-52579: Server-Side Request Forgery vulnerability in various APIs in Misskey

Vendor Misskey-Dev

Product misskey

Weakness CWE-918 · SSRF

Published December 18, 2024

Last update December 19, 2024

View on NVD All CVEs

CVSS base score

6.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Misskey is an open source, federated social media platform. Some APIs using `HttpRequestService` do not properly check the target host. This vulnerability allows an attacker to send POST or GET requests to the internal server, which may result in a SSRF attack.It allows an attacker to send POST or GET requests (with some controllable URL parameters) to private IPs, enabling further attacks on internal servers. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

December 18, 2024 CVE published

December 19, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-52579

Related vulnerabilities

04Related CVE

CVE-2024-11031 SSRF in binary-husky/gpt_academic CVE-2025-52477 Octo-STS Vulnerable to Unauthenticated SSRF with HTTP Response Reflection in OIDC Flow CVE-2023-7073 Auto Featured Image (Auto Post Thumbnail) <= 4.1.7 - Authenticated (Author+) Server-Side Request Forgery CVE-2024-13838 Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 6.2 - Authenticated (Admin+) Server-Side Request Forgery via Webhook CVE-2025-53018 Lychee has Server-Side Request Forgery (SSRF) in Photo::fromUrl API via unvalidated remote image URLs