CVE-2025-66402: misskey.js's export data contains private post data

December 15, 2025 (updated January 6, 2026)

After adding private posts (followers, direct) that you do not have permission to view to your favorites or clips, you can export them to view the contents of the private posts.

References

github.com/advisories/GHSA-496g-mmpw-j9x3
github.com/misskey-dev/misskey
github.com/misskey-dev/misskey/commit/dc77d59f8712d3fe0b73cd4af2035133839cd57b
github.com/misskey-dev/misskey/security/advisories/GHSA-496g-mmpw-j9x3
nvd.nist.gov/vuln/detail/CVE-2025-66402

Code Behaviors & Features

Detect and mitigate CVE-2025-66402 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →