Misskey is an open-source federated social media platform that supports decentralized communication. The vulnerability identified as CVE-2025-66482 arises from improper restriction of excessive authentication attempts (CWE-307) due to reliance on the X-Forwarded-For HTTP header for IP rate limiting. When Misskey is deployed without a trusted reverse proxy or with an insecure trustProxy configuration (default before v2025.12.0-alpha.2 is true), an attacker can forge the X-Forwarded-For header to bypass IP-based rate limiting controls. This allows unlimited authentication attempts from a single source IP perspective, facilitating brute force or credential stuffing attacks against user accounts. The vulnerability affects versions starting from 2025.9.1 up to but not including 2025.12.0-alpha.2. The vendor introduced a configuration option 'trustProxy' to control whether the platform trusts the reverse proxy headers. The default was insecurely set to true in affected versions, meaning the platform blindly trusts the X-Forwarded-For header, enabling the bypass. The issue is fixed in version 2025.12.0-alpha.2 by changing the default of trustProxy to false, requiring explicit configuration to trust proxies. Users behind a properly configured trusted reverse proxy are not vulnerable. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N) indicates the attack can be performed remotely without authentication or user interaction, with low complexity, but with limited impact on confidentiality and integrity. No known exploits are currently in the wild. The vulnerability is categorized under CWE-307 (Improper Restriction of Excessive Authentication Attempts) and CWE-1188 (Incorrect Default Permissions).

For European organizations running Misskey instances, this vulnerability can lead to successful brute force or credential stuffing attacks by bypassing IP rate limiting protections. This can result in unauthorized access to user accounts, potentially exposing personal data and undermining platform integrity. Given Misskey's federated nature, compromised accounts could be used to spread misinformation or malicious content across the network. The impact on confidentiality and integrity is limited but non-negligible, as attackers can gain unauthorized access to accounts. Availability impact is minimal as the vulnerability does not directly cause denial of service. Organizations without a trusted reverse proxy or with default insecure configurations are most at risk. This is particularly relevant for public-facing Misskey instances operated by European communities or organizations promoting decentralized social media. The medium severity rating reflects the balance between ease of exploitation and limited impact scope. However, the potential for large-scale brute force attacks could increase risk if left unmitigated.

European organizations should immediately verify their Misskey deployment configurations, specifically the 'trustProxy' setting in the configuration file. If running versions between 2025.9.1 and 2025.11.1, set 'trustProxy: false' to disable trusting the X-Forwarded-For header unless a trusted reverse proxy is properly configured. Organizations should upgrade to version 2025.12.0-alpha.2 or later, where the default configuration is secure. Deploying a trusted reverse proxy that correctly sanitizes and controls forwarded headers is recommended to ensure accurate client IP detection. Additionally, implement multi-factor authentication (MFA) to reduce the risk of account compromise from brute force attacks. Monitoring authentication logs for unusual patterns of failed login attempts can help detect exploitation attempts. Educate administrators on the importance of secure proxy configurations and regularly audit configurations after upgrades. Finally, consider rate limiting based on other factors such as user accounts or device fingerprints to complement IP-based controls.