{ "affected": [ { "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "e1a8b158e04ad567d92d8daf3cc0898ee18f1a2e" } ], "repo": "https://github.com/misskey-dev/misskey", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "12.90.0" } ] }, "events": [ { "introduced": "0" }, { "fixed": "4b48ba4e8cff670ce4726417fe9b176cda0c4e76" } ], "repo": "https://github.com/syuilo/misskey", "type": "GIT" } ] } ], "details": "Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in \"Upload from URL\" and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been fixed in 12.90.0. However, if you are using a proxy, you will need to take additional measures. As a workaround this exploit may be avoided by appropriately restricting access to private networks from the host where the application is running.", "id": "CVE-2021-39195", "modified": "2026-04-01T23:08:51.229938281Z", "published": "2021-09-07T19:15:08.600Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/misskey-dev/misskey/blob/develop/CHANGELOG.md#12900-20210904" }, { "type": "FIX", "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-mqv7-gxh4-r5vf" }, { "type": "FIX", "url": "https://github.com/misskey-dev/misskey/commit/e1a8b158e04ad567d92d8daf3cc0898ee18f1a2e" } ], "related": [ "GHSA-mqv7-gxh4-r5vf" ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ] }