We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-49363

Uncontrolled Recursion and Asymmetric Resource Consumption (Amplification) in media/file proxy in Misskey



Description

Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note. FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request. Leading to unbounded recursion until the original request is timed out. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. Users unable to upgrade may configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server.

Reserved 2024-10-14 | Published 2024-12-18 | Updated 2024-12-19 | Assigner GitHub_M


HIGH: 7.4CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

Problem types

CWE-405: Asymmetric Resource Consumption (Amplification)

CWE-674: Uncontrolled Recursion

Product status

< CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
affected

References

github.com/...isskey/security/advisories/GHSA-gq5q-c77c-v236

cve.org (CVE-2024-49363)

nvd.nist.gov (CVE-2024-49363)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-49363

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.