CVE-2025-46559 is a medium severity path traversal vulnerability affecting the Misskey open source federated social media platform, specifically versions from 12.31.0 up to but not including 2025.4.1. The vulnerability arises due to improper validation in the Mk:api component, which handles AiScript code requests. Malicious AiScript code can exploit this flaw by prefixing URLs with '../' sequences, effectively escaping the intended '/api' directory restriction. This allows unauthorized access to other endpoints such as '/files', '/url', and '/proxy' that were not meant to be accessible via the Mk:api interface. The vulnerability is classified under CWE-22, indicating improper limitation of a pathname to a restricted directory. Exploitation requires a low privilege user with some level of authentication and user interaction, as indicated by the CVSS vector (AV:N/AC:H/PR:L/UI:R). The impact includes limited confidentiality loss (exposure of unauthorized data) and high integrity impact (potential manipulation of endpoints or data). Availability impact is not significant. The vulnerability was addressed and fixed in version 2025.4.1 of Misskey. There are no known exploits in the wild as of the publication date, but the vulnerability presents a risk to deployments running affected versions. Given Misskey’s federated nature, a compromised instance could be leveraged to attack other federated nodes or leak sensitive user data. The vulnerability’s network attack vector and requirement for user interaction and low privilege authentication reduce but do not eliminate risk, especially in environments where user trust boundaries are weak or where malicious insiders exist.

For European organizations using Misskey as a federated social media platform, this vulnerability could lead to unauthorized access to sensitive endpoints, potentially exposing user data or enabling manipulation of platform functionality. Given the federated architecture, a compromised node could impact the broader network of interconnected instances, amplifying the threat. This could undermine user trust, violate data protection regulations such as GDPR, and lead to reputational damage. Organizations relying on Misskey for internal or community communications may face data integrity issues or unauthorized data disclosure. The medium CVSS score reflects moderate risk, but the potential for high integrity impact and confidentiality loss means organizations should prioritize remediation. The requirement for user interaction and low privilege authentication suggests that social engineering or insider threats could facilitate exploitation. European entities with public-facing or widely accessible Misskey instances are particularly at risk.

Organizations should immediately upgrade all Misskey deployments to version 2025.4.1 or later, where the vulnerability is patched. Until upgrades are applied, administrators should restrict access to the Mk:api interface to trusted users only and monitor logs for suspicious '../' path traversal patterns or unexpected endpoint access. Implement strict input validation and sanitization on all AiScript code inputs to prevent directory traversal sequences. Employ network segmentation to isolate Misskey servers from critical infrastructure and limit exposure. Conduct user training to reduce the risk of social engineering attacks that could facilitate exploitation. Additionally, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the Mk:api endpoints. Regularly audit federated connections and monitor for anomalous behavior that could indicate compromise. Finally, maintain an incident response plan tailored to federated social media platforms to quickly contain and remediate any exploitation attempts.