Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-32983

Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0.

Published

2024-06-03T16:15:08.567

Last Modified

2025-11-25T20:37:04.547

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 8.2 (HIGH)

Weaknesses

Type: Secondary
CWE-863

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	misskey	misskey	< 2024.5.0	Yes

References

https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88 Patch ([email protected])
https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj Exploit, Vendor Advisory ([email protected])
https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj Exploit, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)