CVE-2025-24896

Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named `token` is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else's device, but it's possible that users who have logged out of Misskey before lending their PC to someone else could also be affected. Version 2025.2.0-alpha.0 contains a fix for this issue.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/misskey-dev/misskey/commit/ba9f295ef2bf31cc90fa587e20b9a7655b7a1824	Patch
https://github.com/misskey-dev/misskey/security/advisories/GHSA-w98m-j6hq-cwjm	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*

History

20 Feb 2025, 15:48

Type	Values Removed	Values Added
Summary		(es) Misskey es una plataforma de redes sociales federada de código abierto. A partir de la versión 12.109.0 y antes de la versión 2025.2.0-alpha.0, se almacena un token de inicio de sesión llamado `token` en una cookie con fines de autenticación en Bull Dashboard, pero este permanece sin eliminarse incluso después de cerrar la sesión. Los principales usuarios afectados serán aquellos que hayan iniciado sesión en Misskey utilizando una PC pública o el dispositivo de otra persona, pero es posible que los usuarios que hayan cerrado sesión en Misskey antes de prestar su PC a otra persona también se vean afectados. La versión 2025.2.0-alpha.0 contiene una solución para este problema.
First Time		Misskey misskey Misskey
CPE		cpe:2.3:a:misskey:misskey::::::::
References	~~() https://github.com/misskey-dev/misskey/commit/ba9f295ef2bf31cc90fa587e20b9a7655b7a1824 -~~	() https://github.com/misskey-dev/misskey/commit/ba9f295ef2bf31cc90fa587e20b9a7655b7a1824 - Patch
References	~~() https://github.com/misskey-dev/misskey/security/advisories/GHSA-w98m-j6hq-cwjm -~~	() https://github.com/misskey-dev/misskey/security/advisories/GHSA-w98m-j6hq-cwjm - Vendor Advisory

11 Feb 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-11 16:15

Updated : 2025-02-20 15:48

NVD link : CVE-2025-24896

Mitre link : CVE-2025-24896

CVE.ORG link : CVE-2025-24896

JSON object : View

Products Affected

misskey

misskey

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2025-24896", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2025-02-11T16:15:51.477", "references": [{"url": "https://github.com/misskey-dev/misskey/commit/ba9f295ef2bf31cc90fa587e20b9a7655b7a1824", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-w98m-j6hq-cwjm", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named `token` is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else's device, but it's possible that users who have logged out of Misskey before lending their PC to someone else could also be affected. Version 2025.2.0-alpha.0 contains a fix for this issue."}, {"lang": "es", "value": "Misskey es una plataforma de redes sociales federada de c\u00f3digo abierto. A partir de la versi\u00f3n 12.109.0 y antes de la versi\u00f3n 2025.2.0-alpha.0, se almacena un token de inicio de sesi\u00f3n llamado `token` en una cookie con fines de autenticaci\u00f3n en Bull Dashboard, pero este permanece sin eliminarse incluso despu\u00e9s de cerrar la sesi\u00f3n. Los principales usuarios afectados ser\u00e1n aquellos que hayan iniciado sesi\u00f3n en Misskey utilizando una PC p\u00fablica o el dispositivo de otra persona, pero es posible que los usuarios que hayan cerrado sesi\u00f3n en Misskey antes de prestar su PC a otra persona tambi\u00e9n se vean afectados. La versi\u00f3n 2025.2.0-alpha.0 contiene una soluci\u00f3n para este problema."}], "lastModified": "2025-02-20T15:48:37.877", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CD22A7E-7810-47A9-8B23-6783D9863694", "versionEndIncluding": "2025.1.0", "versionStartIncluding": "12.109.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

8.1 /10