CVE-2025-66482: Misskey has a login rate limit bypass via spoofed X-Forwarded-For header

December 15, 2025 (updated January 6, 2026)

When using an untrusted reverse proxy or not using a reverse proxy at all, attackers can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (trustProxy) has been added in config file to prevent this from happening. However, it is initialized with an insecure default value before version 2025.12.0, making it still vulnerable if the configuration is not set correctly.

References

github.com/advisories/GHSA-wwrj-3hvj-prpm
github.com/misskey-dev/misskey
github.com/misskey-dev/misskey/commit/5512898463fa8487b9e6488912f35102b91f25f7
github.com/misskey-dev/misskey/security/advisories/GHSA-wwrj-3hvj-prpm
nvd.nist.gov/vuln/detail/CVE-2025-66482

Code Behaviors & Features

Detect and mitigate CVE-2025-66482 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →