-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability allows an attacker to view private posts by exporting their favorites or clips. The root cause is a missing authorization check in the export functionality. The provided patch addresses this by modifying the ExportFavoritesProcessorService and ExportClipsProcessorService to include visibility checks when fetching notes for export.
Specifically, the vulnerable functions are ExportFavoritesProcessorService.process and ExportClipsProcessorService.processClipNotes. Before the patch, these functions would retrieve all notes associated with a user's favorites or clips without verifying if the user had permission to view those notes. An attacker could obtain the ID of a private note, add it to their favorites or a clip, and then use the export feature to bypass access controls and view the private content.
The patch introduces calls to this.queryService.generateVisibilityQuery(query, { id: user.id }) in both services. This function modifies the database query to include conditions that check the visibility of the notes, ensuring that only notes the user is authorized to see are included in the exported data. This effectively closes the information disclosure vulnerability.
ExportFavoritesProcessorService.processpackages/backend/src/queue/processors/ExportFavoritesProcessorService.ts
ExportClipsProcessorService.processClipNotespackages/backend/src/queue/processors/ExportClipsProcessorService.ts
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| misskey-js | npm | >= 13.0.0-beta.16, < 2025.12.0 | 2025.12.0 |