CVE-2024-49363

CVSS 3.1 Score 7.4 of 10 (high)

Details

Published Dec 18, 2024

CWE ID 405

CWE ID 674

Summary

CVE-2024-49363 is a vulnerability affecting the FileServerService in the open source, federated social media platform Misskey (github.com/misskey-dev/misskey). In versions 2024.10.1 and earlier, the service did not detect proxy loops, leaving it open to remote denial-of-service (DoS) attacks. A maliciously crafted note containing nested proxy requests could cause unbounded recursion, leading to a self-propagating reflected/amplified DoS. The issue is resolved in version 2024.11.0-alpha.3. As a temporary measure, users unable to upgrade can configure their reverse proxy to block requests with an empty User-Agent header or one containing "Misskey/". Attackers cannot effectively modify the User-Agent header without making another request, limiting the effectiveness of this bypass.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Advisories, Assessments, and Mitigations

Back to Vulnerability Database

Platform Features

Products

Use Cases

Teams

Industries

Services

Submarine Cables Face Increasing Threats Amid Geopolitical Tensions and Limited Repair Capacity

US Violent Extremists Likely Shifting Focus to Targeted Physical Threats in 2025

DRAT V2: Updated DRAT Emerges in TAG-140’s Arsenal

Know What Matters

For Customers

For Partners

CVE-2024-49363

CVSS 3.1 Score 7.4 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations