U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-49363

Change History

New CVE Received from GitHub, Inc. 12/18/2024 3:15:23 PM

Action Type Old Value New Value
Added Description

								
							
							
						
Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note. FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request.
Leading to unbounded recursion until the original request is timed out. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. Users unable to upgrade may configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server.
Added CVSS V3.1

								
							
							
						
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
Added CWE

								
							
							
						
CWE-405
Added CWE

								
							
							
						
CWE-674
Added Reference

								
							
							
						
https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v236