Listen to this Post
The vulnerability, CVE-2025-XXXXX, exists in the data export functionality of the Misskey platform. When a user adds a private post (e.g., a “Followers only” or “Direct” message) to their favorites or clips, the post’s unique identifier is stored in the user’s list. The export feature, designed to package user data for download, incorrectly includes the full content of all posts referenced in these lists without re-validating the user’s current permission to view each one. The export process trusts the list of post IDs from the favorites/clips collections and fetches the complete post object for each, bypassing the standard visibility checks that would normally prevent access. Consequently, an attacker who has added a private post to their favorites can later export their account data and obtain the complete text of posts they should no longer, or never could, see.
DailyCVE Form
Platform: Misskey.js
Version: >=13.0.0-beta.16 <2025.12.0
Vulnerability: Data Exposure
Severity: High
Date: December 2025
Prediction: Patch Released (2025.12.0)
What Undercode Say:
Check if your instance is vulnerable npm list misskey | grep -E "2025.(11|10|09)" Simulate checking for the patched version curl -s https://api.github.com/repos/misskey-dev/misskey/releases/latest | jq -r '.tag_name'
// PoC: Adding a private post's ID to favorites (ID must be known)
await api('i/favorites/create', { noteId: 'PRIVATE_POST_ID_HERE' });
// Later, execute the export function via the UI or API.
How Exploit:
- Attacker obtains ID of a private post (e.g., from user page source).
- Attacker adds the private post to their favorites/clips.
3. Attacker triggers the account data export function.
4. Attacker downloads and extracts the export archive.
- Attacker reads the exposed private post content from the export data files.
Protection from this CVE:
- Upgrade to version 2025.12.0.
- Do not add unknown posts to favorites.
- Review exported data sensitivity.
- Implement export-time permission revalidation.
Impact:
- Unauthorized private post disclosure.
- Requires user interaction (adding to favorites).
- Impacts data portability feature trust.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

