Misskey is an open-source federated social media platform that implements IP-based rate limiting to prevent excessive authentication attempts, a common defense against brute-force attacks. CVE-2025-66482 arises from improper handling of the X-Forwarded-For HTTP header, which is used to identify the originating IP address of a client connecting through a reverse proxy. If an attacker controls or uses an untrusted reverse proxy or no proxy at all, they can forge this header to bypass IP rate limiting, effectively circumventing protections designed to limit authentication attempts per IP. This vulnerability is classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts) and CWE-1188 (Incorrect Default Permissions). Starting with Misskey version 2025.9.1, a configuration option 'trustProxy' was introduced to control whether the platform trusts the X-Forwarded-For header. However, before version 2025.12.0-alpha.2, this option defaults to an insecure value (true), meaning the platform trusts the header by default, leaving it vulnerable if the administrator does not explicitly set 'trustProxy' to false. The vulnerability is patched in version 2025.12.0-alpha.2 by changing the default of 'trustProxy' to false, thereby not trusting the header unless explicitly configured. Users behind a properly configured trusted reverse proxy are not affected, as the proxy correctly manages client IPs. No known exploits are reported in the wild yet. The CVSS 4.0 score is 6.9 (medium), reflecting network attack vector, no privileges or user interaction required, and partial impact on confidentiality and availability due to potential brute-force attacks.

For European organizations using Misskey versions between 2025.9.1 and 2025.11.1 without proper configuration, this vulnerability can allow attackers to bypass IP-based rate limiting on authentication attempts. This can lead to increased risk of brute-force or credential stuffing attacks, potentially resulting in unauthorized account access, data exposure, and reputational damage. Since Misskey is a federated social media platform, compromised accounts could be used to spread misinformation or malicious content, impacting trust and platform integrity. Additionally, excessive authentication attempts could degrade service availability due to resource exhaustion. Organizations relying on Misskey for internal or community communication may face operational disruptions. The impact is mitigated for those using trusted reverse proxies correctly configured or running patched versions. However, the federated nature of Misskey means that vulnerabilities in one instance can have cascading effects across the network, increasing the importance of timely mitigation in Europe where federated social media adoption is growing.

European organizations should immediately verify their Misskey deployment version and configuration. If running versions from 2025.9.1 to before 2025.12.0-alpha.2, they must set 'trustProxy: false' explicitly in the configuration file unless they are certain their reverse proxy is trusted and correctly configured. Upgrading to version 2025.12.0-alpha.2 or later is strongly recommended to benefit from the secure default. Organizations should audit their reverse proxy setups to ensure they are trusted and properly forwarding client IPs without allowing header forgery. Implement additional multi-factor authentication (MFA) to reduce the risk of account compromise from brute-force attacks. Monitoring authentication logs for unusual patterns of failed attempts can help detect exploitation attempts early. Network-level rate limiting and Web Application Firewalls (WAFs) can provide additional layers of defense. Finally, educating administrators about the importance of correct 'trustProxy' configuration and maintaining up-to-date software is critical.