CVE-2025-66402 is a vulnerability identified in the Misskey open source federated social media platform, specifically affecting versions from 13.0.0-beta.16 up to 2025.12.0. The core issue is a missing authorization check (CWE-862) that allows an unauthorized actor to export posts that are marked as favorites or clips, even if they do not have permission to view these items. This means that sensitive user content intended to be private or restricted can be accessed and exported by attackers without authentication or user interaction. The vulnerability is remotely exploitable with low complexity, as no privileges or user interaction are required, making it a significant risk for confidentiality breaches. The CVSS v4.0 score of 7.1 reflects the high impact on confidentiality and the ease of exploitation. The flaw affects the core access control mechanisms of Misskey, undermining trust in the platform's privacy guarantees. The issue was publicly disclosed and fixed in version 2025.12.0, which implements proper authorization checks to prevent unauthorized data export. No known exploits are currently reported in the wild, but the vulnerability's nature suggests it could be targeted by attackers seeking to harvest private social media content.

For European organizations, the impact of CVE-2025-66402 is primarily on user privacy and data confidentiality. Misskey instances operated by companies, communities, or public institutions could have sensitive user-generated content exposed to unauthorized parties, potentially leading to reputational damage, loss of user trust, and regulatory compliance issues under GDPR. The unauthorized export of favorites and clips could reveal personal preferences, private communications, or sensitive discussions. This could also facilitate further social engineering or targeted attacks. Since Misskey is a federated platform, compromised nodes could affect the broader federated network, amplifying the impact. The vulnerability does not affect system integrity or availability directly but poses a significant confidentiality risk. Organizations relying on Misskey for internal or external communication should consider the exposure of sensitive information as a critical concern.

The primary mitigation is to upgrade all affected Misskey instances to version 2025.12.0 or later, where the authorization checks have been properly implemented. Organizations should verify the version of their Misskey deployment and apply patches promptly. Additionally, administrators should audit access control configurations and review logs for any suspicious export activity prior to patching. Implementing network-level restrictions to limit access to the Misskey API endpoints that handle favorites and clips exports can reduce exposure. Monitoring federated nodes for unusual data export patterns can help detect exploitation attempts. Educating users about the sensitivity of their favorites and clips and encouraging cautious sharing practices can also reduce risk. Finally, organizations should incorporate this vulnerability into their incident response plans and ensure compliance with data protection regulations by notifying affected users if a breach is suspected.