{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-14T03:22:15.325","vulnerabilities":[{"cve":{"id":"CVE-2024-49363","sourceIdentifier":"security-advisories@github.com","published":"2024-12-18T20:15:23.073","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note. FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request.\nLeading to unbounded recursion until the original request is timed out. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. Users unable to upgrade may configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server."},{"lang":"es","value":"Misskey es una plataforma de redes sociales federada de código abierto. En las versiones afectadas, FileServerService (proxy multimedia) en github.com/misskey-dev/misskey 2024.10.1 o anteriores no detectó bucles de proxy, lo que permite a los actores remotos ejecutar una denegación de servicio distribuida reflejada/amplificada que se propaga por sí sola a través de una nota manipulada con fines malintencionados. FileServerService.prototype.proxyHandler no verificó que las solicitudes entrantes no provengan de otro servidor proxy. Un atacante puede ejecutar una denegación de servicio amplificada enviando una solicitud de proxy anidada al servidor y finalizar la solicitud con una redirección maliciosa a otra solicitud de proxy anidada. Esto genera una recursión ilimitada hasta que se agota el tiempo de espera de la solicitud original. Este problema se ha solucionado en la versión 2024.11.0-alpha.3. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden configurar el proxy inverso para bloquear las solicitudes al proxy con un encabezado User-Agent vacío o uno que contenga Misskey/. Un atacante no puede modificar eficazmente el encabezado User-Agent sin realizar otra solicitud al servidor."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":4.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-405"},{"lang":"en","value":"CWE-674"}]}],"references":[{"url":"https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v236","source":"security-advisories@github.com"}]}}]}