{"id":"CVE-2025-46340","summary":"Misskey CSS Style Injection Vulnerability In `MkUrlPreview`","details":"Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, due to an oversight in the validation performed in `UrlPreviewService` and `MkUrlPreview`, it is possible for an attacker to inject arbitrary CSS into the `MkUrlPreview` component. `UrlPreviewService.wrap` falls back to returning the original URL if it's using a protocol that is likely to not be understood by Misskey, IE something other than `http` or `https`. This both can de-anonymize users and_allow further attacks in the client. Additionally, `MkUrlPreview` doesn't escape CSS when applying a `background-image` property, allowing an attacker to craft a URL that applies arbitrary styles to the preview element. Theoretically, an attacker can craft a CSS injection payload to create a fake error message that can deceive the user into giving away their credentials or similar sensitive information. Version 2025.4.1 contains a patch for the issue.","aliases":["GHSA-3p2w-xmv5-jm95"],"modified":"2026-04-10T05:28:25.526948Z","published":"2025-05-05T18:35:37.852Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/46xxx/CVE-2025-46340.json","cwe_ids":["CWE-116","CWE-20"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/46xxx/CVE-2025-46340.json"},{"type":"ADVISORY","url":"https://github.com/misskey-dev/misskey/security/advisories/GHSA-3p2w-xmv5-jm95"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46340"},{"type":"FIX","url":"https://github.com/misskey-dev/misskey/commit/d10fdfe9738b17a9d81037c031b40a2cc4cb8038"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/misskey-dev/misskey","events":[{"introduced":"781cebf19406c9db4c769f35a78c991326393b98"},{"fixed":"979cfc1bcd6399afa0477cbc6f7457a211f26cdc"}]}],"versions":["12.0.0","12.1.0","12.10.0","12.11.0","12.12.0","12.13.0","12.14.0","12.15.0","12.16.0","12.17.0","12.18.0","12.18.1","12.19.0","12.2.0","12.20.0","12.21.0","12.29.0","12.3.0","12.30.0","12.31.0","12.32.0","12.33.0","12.34.0","12.35.0","12.35.1","12.35.2","12.36.0","12.36.1","12.37.0","12.38.0","12.38.1","12.39.0","12.39.1","12.4.0","12.4.1","12.40.0","12.41.0","12.41.1","12.41.2","12.41.3","12.42.0","12.43.0","12.44.0","12.44.1","12.45.0","12.45.1","12.46.0","12.47.0","12.47.1","12.48.0","12.48.1","12.48.2","12.48.3","12.49.0","12.49.1","12.5.0","12.50.0","12.51.0","12.52.0","12.53.0","12.54.0","12.55.0","12.56.0","12.57.0","12.57.1","12.57.4","12.58.0","12.59.0","12.6.0","12.60.0","12.60.1","12.61.0","12.61.1","12.62.0","12.62.1","12.62.2","12.63.0","12.64.0","12.64.1","12.64.2","12.65.0","12.65.1","12.65.2","12.65.3","12.65.4","12.65.5","12.65.6","12.65.7","12.66.0","12.67.0","12.67.1","12.7.0","12.7.1","12.8.0","12.9.0","13.0.0-beta.16","13.0.0-beta.21","13.0.0-beta.22","13.0.0-beta.23","13.0.0-beta.24","13.0.0-beta.25","13.0.0-beta.26","13.0.0-beta.27","13.0.0-beta.28","13.0.0-beta.29","13.0.0-beta.30","13.0.0-beta.31","13.0.0-beta.32","13.0.0-beta.33","13.0.0-beta.34","13.0.0-beta.35","13.0.0-beta.36","13.0.0-beta.37","13.0.0-beta.38","13.0.0-beta.39","13.0.0-beta.40","13.0.0-beta.41","13.0.0-beta.42","13.0.0-beta.43","13.0.0-rc.1","13.0.0-rc.10","13.0.0-rc.11","13.0.0-rc.2","13.0.0-rc.3","13.0.0-rc.5","13.0.0-rc.6","13.0.0-rc.7","13.0.0-rc.8","13.0.0-rc.9","13.11.0-beta.4","13.11.0-beta.6","13.11.0-beta.7","13.11.0-beta.8","13.11.0.beta-1","13.11.0.beta-2","13.11.0.beta-3","13.12.0-beta.2","13.12.0-beta.3","13.12.0-beta.4","13.12.0-beta.5","13.12.0-beta.6","13.13.0-beta.1","13.13.0-beta.2","13.13.0-beta.3","13.13.0-beta.4","13.13.0-beta.5","13.13.0-beta.6","13.13.0-beta.7","13.14.0-beta.1","13.14.0-beta.2","13.14.0-beta.3","13.14.0-beta.4","13.14.0-beta.5","13.14.0-beta.6","13.14.0-beta.7","2023.10.0-beta.1","2023.10.0-beta.10","2023.10.0-beta.11","2023.10.0-beta.12","2023.10.0-beta.13","2023.10.0-beta.14","2023.10.0-beta.15","2023.10.0-beta.2","2023.10.0-beta.3","2023.10.0-beta.4","2023.10.0-beta.5","2023.10.0-beta.6","2023.10.0-beta.7","2023.10.0-beta.8","2023.10.0-beta.9","2023.10.2-beta.1","2023.10.2-beta.2","2023.11.0-beta.1","2023.11.0-beta.10","2023.11.0-beta.2","2023.11.0-beta.3","2023.11.0-beta.4","2023.11.0-beta.5","2023.11.0-beta.6","2023.11.0-beta.7","2023.11.0-beta.8","2023.11.0-beta.9","2023.11.1-beta.1","2023.11.1-beta.2","2023.12.0-beta.1","2023.12.0-beta.2","2023.12.0-beta.3","2023.12.0-beta.4","2023.12.0-beta.5","2023.12.0-beta.6","2023.9.0-beta.1","2023.9.0-beta.10","2023.9.0-beta.11","2023.9.0-beta.2","2023.9.0-beta.3","2023.9.0-beta.4","2023.9.0-beta.5","2023.9.0-beta.6","2023.9.0-beta.7","2023.9.0-beta.8","2023.9.0-beta.9","2023.9.0-rc.1","2023.9.0-rc.2","2023.9.0-rc.3","2023.9.0-rc.4","2024.10.0","2024.10.0-alpha.0","2024.10.0-alpha.1","2024.10.0-beta.2","2024.10.0-beta.3","2024.10.0-beta.4","2024.10.0-beta.5","2024.10.0-beta.6","2024.10.1","2024.10.1-alpha.0","2024.10.1-beta.1","2024.10.1-beta.2","2024.10.1-beta.3","2024.10.1-beta.4","2024.10.1-beta.5","2024.10.1-beta.6","2024.10.2-alpha.0","2024.10.2-alpha.1","2024.10.2-alpha.2","2024.11.0","2024.11.0-alpha.1","2024.11.0-alpha.2","2024.11.0-alpha.3","2024.11.0-beta.4","2024.2.0-beta.1","2024.2.0-beta.10","2024.2.0-beta.12","2024.2.0-beta.13","2024.2.0-beta.2","2024.2.0-beta.3","2024.2.0-beta.4","2024.2.0-beta.5","2024.2.0-beta.6","2024.2.0-beta.7","2024.2.0-beta.8","2024.2.0-beta.9","2024.7.0","2024.7.0-beta.0","2024.7.0-beta.1","2024.7.0-beta.2","2024.7.0-beta.3","2024.7.0-rc.4","2024.7.0-rc.5","2024.7.0-rc.6","2024.7.0-rc.7","2024.7.0-rc.8","2024.8.0","2024.8.0-alpha.0","2024.8.0-alpha.1","2024.8.0-beta.2","2024.8.0-rc.3","2024.8.0-rc.4","2024.8.0-rc.5","2024.9.0","2024.9.0-alpha.0","2024.9.0-alpha.1","2024.9.0-alpha.10","2024.9.0-alpha.11","2024.9.0-alpha.12","2024.9.0-alpha.13","2024.9.0-alpha.2","2024.9.0-alpha.3","2024.9.0-alpha.4","2024.9.0-alpha.5","2024.9.0-alpha.6","2024.9.0-alpha.7","2024.9.0-alpha.8","2024.9.0-alpha.9","2024.9.0-beta.14","2025.1.0","2025.1.0-alpha.0","2025.1.0-beta.0","2025.1.0-beta.1","2025.1.0-beta.2","2025.1.0-beta.3","2025.2.0","2025.2.0-alpha.0","2025.2.0-beta.0","2025.2.0-beta.1","2025.2.1","2025.2.1-alpha.0","2025.2.1-beta.0","2025.2.1-beta.1","2025.2.1-beta.2","2025.3.0","2025.3.0-alpha.0","2025.3.0-beta.0","2025.3.0-beta.1","2025.3.0-beta.2","2025.3.1","2025.3.1-alpha.0","2025.3.1-beta.0","2025.3.1-beta.1","2025.3.1-beta.2","2025.3.1-beta.3","2025.3.2-alpha.1","2025.3.2-alpha.10","2025.3.2-alpha.11","2025.3.2-alpha.2","2025.3.2-alpha.3","2025.3.2-alpha.4","2025.3.2-alpha.8","2025.3.2-beta.0","2025.3.2-beta.1","2025.3.2-beta.10","2025.3.2-beta.11","2025.3.2-beta.12","2025.3.2-beta.13","2025.3.2-beta.14","2025.3.2-beta.15","2025.3.2-beta.17","2025.3.2-beta.19","2025.3.2-beta.2","2025.3.2-beta.20","2025.3.2-beta.21","2025.3.2-beta.4","2025.3.2-beta.5","2025.3.2-beta.8","2025.3.2-beta.9","2025.4.0","2025.4.0-alpha.0","2025.4.0-beta.0","2025.4.0-beta.1","2025.4.0-rc.0","2025.4.0-rc.4","2025.4.0-rc.5","2025.4.1-alpha.0","2025.4.1-alpha.1","2025.4.1-alpha.2","2025.4.1-beta.0","2025.4.1-beta.2","2025.4.1-beta.6","2025.4.1-beta.7","2025.4.1-beta.8","2025.4.1-beta.9","2025.4.1-rc.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46340.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/syuilo/misskey","events":[{"introduced":"781cebf19406c9db4c769f35a78c991326393b98"},{"fixed":"979cfc1bcd6399afa0477cbc6f7457a211f26cdc"}],"database_specific":{"versions":[{"introduced":"12.0.0"},{"fixed":"2025.4.1"}]}}],"versions":["12.0.0","12.1.0","12.10.0","12.11.0","12.12.0","12.13.0","12.14.0","12.15.0","12.16.0","12.17.0","12.18.0","12.18.1","12.19.0","12.2.0","12.20.0","12.21.0","12.29.0","12.3.0","12.30.0","12.31.0","12.32.0","12.33.0","12.34.0","12.35.0","12.35.1","12.35.2","12.36.0","12.36.1","12.37.0","12.38.0","12.38.1","12.39.0","12.39.1","12.4.0","12.4.1","12.40.0","12.41.0","12.41.1","12.41.2","12.41.3","12.42.0","12.43.0","12.44.0","12.44.1","12.45.0","12.45.1","12.46.0","12.47.0","12.47.1","12.48.0","12.48.1","12.48.2","12.48.3","12.49.0","12.49.1","12.5.0","12.50.0","12.51.0","12.52.0","12.53.0","12.54.0","12.55.0","12.56.0","12.57.0","12.57.1","12.57.4","12.58.0","12.59.0","12.6.0","12.60.0","12.60.1","12.61.0","12.61.1","12.62.0","12.62.1","12.62.2","12.63.0","12.64.0","12.64.1","12.64.2","12.65.0","12.65.1","12.65.2","12.65.3","12.65.4","12.65.5","12.65.6","12.65.7","12.66.0","12.67.0","12.67.1","12.7.0","12.7.1","12.8.0","12.9.0","13.0.0-beta.16","13.0.0-beta.21","13.0.0-beta.22","13.0.0-beta.23","13.0.0-beta.24","13.0.0-beta.25","13.0.0-beta.26","13.0.0-beta.27","13.0.0-beta.28","13.0.0-beta.29","13.0.0-beta.30","13.0.0-beta.31","13.0.0-beta.32","13.0.0-beta.33","13.0.0-beta.34","13.0.0-beta.35","13.0.0-beta.36","13.0.0-beta.37","13.0.0-beta.38","13.0.0-beta.39","13.0.0-beta.40","13.0.0-beta.41","13.0.0-beta.42","13.0.0-beta.43","13.0.0-rc.1","13.0.0-rc.10","13.0.0-rc.11","13.0.0-rc.2","13.0.0-rc.3","13.0.0-rc.5","13.0.0-rc.6","13.0.0-rc.7","13.0.0-rc.8","13.0.0-rc.9","13.11.0-beta.4","13.11.0-beta.6","13.11.0-beta.7","13.11.0-beta.8","13.11.0.beta-1","13.11.0.beta-2","13.11.0.beta-3","13.12.0-beta.2","13.12.0-beta.3","13.12.0-beta.4","13.12.0-beta.5","13.12.0-beta.6","13.13.0-beta.1","13.13.0-beta.2","13.13.0-beta.3","13.13.0-beta.4","13.13.0-beta.5","13.13.0-beta.6","13.13.0-beta.7","13.14.0-beta.1","13.14.0-beta.2","13.14.0-beta.3","13.14.0-beta.4","13.14.0-beta.5","13.14.0-beta.6","13.14.0-beta.7","2023.10.0-beta.1","2023.10.0-beta.10","2023.10.0-beta.11","2023.10.0-beta.12","2023.10.0-beta.13","2023.10.0-beta.14","2023.10.0-beta.15","2023.10.0-beta.2","2023.10.0-beta.3","2023.10.0-beta.4","2023.10.0-beta.5","2023.10.0-beta.6","2023.10.0-beta.7","2023.10.0-beta.8","2023.10.0-beta.9","2023.10.2-beta.1","2023.10.2-beta.2","2023.11.0-beta.1","2023.11.0-beta.10","2023.11.0-beta.2","2023.11.0-beta.3","2023.11.0-beta.4","2023.11.0-beta.5","2023.11.0-beta.6","2023.11.0-beta.7","2023.11.0-beta.8","2023.11.0-beta.9","2023.11.1-beta.1","2023.11.1-beta.2","2023.12.0-beta.1","2023.12.0-beta.2","2023.12.0-beta.3","2023.12.0-beta.4","2023.12.0-beta.5","2023.12.0-beta.6","2023.9.0-beta.1","2023.9.0-beta.10","2023.9.0-beta.11","2023.9.0-beta.2","2023.9.0-beta.3","2023.9.0-beta.4","2023.9.0-beta.5","2023.9.0-beta.6","2023.9.0-beta.7","2023.9.0-beta.8","2023.9.0-beta.9","2023.9.0-rc.1","2023.9.0-rc.2","2023.9.0-rc.3","2023.9.0-rc.4","2024.10.0","2024.10.0-alpha.0","2024.10.0-alpha.1","2024.10.0-beta.2","2024.10.0-beta.3","2024.10.0-beta.4","2024.10.0-beta.5","2024.10.0-beta.6","2024.10.1","2024.10.1-alpha.0","2024.10.1-beta.1","2024.10.1-beta.2","2024.10.1-beta.3","2024.10.1-beta.4","2024.10.1-beta.5","2024.10.1-beta.6","2024.10.2-alpha.0","2024.10.2-alpha.1","2024.10.2-alpha.2","2024.11.0","2024.11.0-alpha.1","2024.11.0-alpha.2","2024.11.0-alpha.3","2024.11.0-beta.4","2024.2.0-beta.1","2024.2.0-beta.10","2024.2.0-beta.12","2024.2.0-beta.13","2024.2.0-beta.2","2024.2.0-beta.3","2024.2.0-beta.4","2024.2.0-beta.5","2024.2.0-beta.6","2024.2.0-beta.7","2024.2.0-beta.8","2024.2.0-beta.9","2024.7.0","2024.7.0-beta.0","2024.7.0-beta.1","2024.7.0-beta.2","2024.7.0-beta.3","2024.7.0-rc.4","2024.7.0-rc.5","2024.7.0-rc.6","2024.7.0-rc.7","2024.7.0-rc.8","2024.8.0","2024.8.0-alpha.0","2024.8.0-alpha.1","2024.8.0-beta.2","2024.8.0-rc.3","2024.8.0-rc.4","2024.8.0-rc.5","2024.9.0","2024.9.0-alpha.0","2024.9.0-alpha.1","2024.9.0-alpha.10","2024.9.0-alpha.11","2024.9.0-alpha.12","2024.9.0-alpha.13","2024.9.0-alpha.2","2024.9.0-alpha.3","2024.9.0-alpha.4","2024.9.0-alpha.5","2024.9.0-alpha.6","2024.9.0-alpha.7","2024.9.0-alpha.8","2024.9.0-alpha.9","2024.9.0-beta.14","2025.1.0","2025.1.0-alpha.0","2025.1.0-beta.0","2025.1.0-beta.1","2025.1.0-beta.2","2025.1.0-beta.3","2025.2.0","2025.2.0-alpha.0","2025.2.0-beta.0","2025.2.0-beta.1","2025.2.1","2025.2.1-alpha.0","2025.2.1-beta.0","2025.2.1-beta.1","2025.2.1-beta.2","2025.3.0","2025.3.0-alpha.0","2025.3.0-beta.0","2025.3.0-beta.1","2025.3.0-beta.2","2025.3.1","2025.3.1-alpha.0","2025.3.1-beta.0","2025.3.1-beta.1","2025.3.1-beta.2","2025.3.1-beta.3","2025.3.2-alpha.1","2025.3.2-alpha.10","2025.3.2-alpha.11","2025.3.2-alpha.2","2025.3.2-alpha.3","2025.3.2-alpha.4","2025.3.2-alpha.8","2025.3.2-beta.0","2025.3.2-beta.1","2025.3.2-beta.10","2025.3.2-beta.11","2025.3.2-beta.12","2025.3.2-beta.13","2025.3.2-beta.14","2025.3.2-beta.15","2025.3.2-beta.17","2025.3.2-beta.19","2025.3.2-beta.2","2025.3.2-beta.20","2025.3.2-beta.21","2025.3.2-beta.4","2025.3.2-beta.5","2025.3.2-beta.8","2025.3.2-beta.9","2025.4.0","2025.4.0-alpha.0","2025.4.0-beta.0","2025.4.0-beta.1","2025.4.0-rc.0","2025.4.0-rc.4","2025.4.0-rc.5","2025.4.1-alpha.0","2025.4.1-alpha.1","2025.4.1-alpha.2","2025.4.1-beta.0","2025.4.1-beta.2","2025.4.1-beta.6","2025.4.1-beta.7","2025.4.1-beta.8","2025.4.1-beta.9","2025.4.1-rc.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46340.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}]}