{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-49363", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-10-14T13:56:34.810Z", "datePublished": "2024-12-18T19:24:34.399Z", "dateUpdated": "2024-12-19T16:46:26.503Z"}, "containers": {"cna": {"title": "Uncontrolled Recursion and Asymmetric Resource Consumption (Amplification) in media/file proxy in Misskey", "problemTypes": [{"descriptions": [{"cweId": "CWE-405", "lang": "en", "description": "CWE-405: Asymmetric Resource Consumption (Amplification)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v236", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v236"}], "affected": [{"vendor": "misskey-dev", "product": "misskey", "versions": [{"version": "< CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-18T19:24:34.399Z"}, "descriptions": [{"lang": "en", "value": "Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note. FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request.\nLeading to unbounded recursion until the original request is timed out. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. Users unable to upgrade may configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server."}], "source": {"advisory": "GHSA-gq5q-c77c-v236", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-19T16:46:18.558266Z", "id": "CVE-2024-49363", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-19T16:46:26.503Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-49363", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-19T16:46:18.558266Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-19T16:46:23.760Z"}}], "cna": {"title": "Uncontrolled Recursion and Asymmetric Resource Consumption (Amplification) in media/file proxy in Misskey", "source": {"advisory": "GHSA-gq5q-c77c-v236", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "misskey-dev", "product": "misskey", "versions": [{"status": "affected", "version": "< CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H"}]}], "references": [{"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v236", "name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v236", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note. FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request.\nLeading to unbounded recursion until the original request is timed out. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. Users unable to upgrade may configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-405", "description": "CWE-405: Asymmetric Resource Consumption (Amplification)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "CWE-674: Uncontrolled Recursion"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-18T19:24:34.399Z"}}}, "cveMetadata": {"cveId": "CVE-2024-49363", "state": "PUBLISHED", "dateUpdated": "2024-12-19T16:46:26.503Z", "dateReserved": "2024-10-14T13:56:34.810Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-12-18T19:24:34.399Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note. FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request.\nLeading to unbounded recursion until the original request is timed out. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. Users unable to upgrade may configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server."}, {"lang": "es", "value": "Misskey es una plataforma de redes sociales federada de c\u00f3digo abierto. En las versiones afectadas, FileServerService (proxy multimedia) en github.com/misskey-dev/misskey 2024.10.1 o anteriores no detect\u00f3 bucles de proxy, lo que permite a los actores remotos ejecutar una denegaci\u00f3n de servicio distribuida reflejada/amplificada que se propaga por s\u00ed sola a trav\u00e9s de una nota manipulada con fines malintencionados. FileServerService.prototype.proxyHandler no verific\u00f3 que las solicitudes entrantes no provengan de otro servidor proxy. Un atacante puede ejecutar una denegaci\u00f3n de servicio amplificada enviando una solicitud de proxy anidada al servidor y finalizar la solicitud con una redirecci\u00f3n maliciosa a otra solicitud de proxy anidada. Esto genera una recursi\u00f3n ilimitada hasta que se agota el tiempo de espera de la solicitud original. Este problema se ha solucionado en la versi\u00f3n 2024.11.0-alpha.3. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden configurar el proxy inverso para bloquear las solicitudes al proxy con un encabezado User-Agent vac\u00edo o uno que contenga Misskey/. Un atacante no puede modificar eficazmente el encabezado User-Agent sin realizar otra solicitud al servidor."}], "id": "CVE-2024-49363", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-12-18T20:15:23.073", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v236"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-405"}, {"lang": "en", "value": "CWE-674"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}