CVE-2025-24896

Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named `token` is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else's device, but it's possible that users who have logged out of Misskey before lending their PC to someone else could also be affected. Version 2025.2.0-alpha.0 contains a fix for this issue.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/misskey-dev/misskey/commit/ba9f295ef2bf31cc90fa587e20b9a7655b7a1824	Patch
https://github.com/misskey-dev/misskey/security/advisories/GHSA-w98m-j6hq-cwjm	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-02-11 16:15

Updated : 2025-02-20 15:48

NVD link : CVE-2025-24896

Mitre link : CVE-2025-24896

CVE.ORG link : CVE-2025-24896

JSON object : View

Products Affected

misskey

misskey

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2025-24896", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2025-02-11T16:15:51.477", "references": [{"url": "https://github.com/misskey-dev/misskey/commit/ba9f295ef2bf31cc90fa587e20b9a7655b7a1824", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-w98m-j6hq-cwjm", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named `token` is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else's device, but it's possible that users who have logged out of Misskey before lending their PC to someone else could also be affected. Version 2025.2.0-alpha.0 contains a fix for this issue."}, {"lang": "es", "value": "Misskey es una plataforma de redes sociales federada de c\u00f3digo abierto. A partir de la versi\u00f3n 12.109.0 y antes de la versi\u00f3n 2025.2.0-alpha.0, se almacena un token de inicio de sesi\u00f3n llamado `token` en una cookie con fines de autenticaci\u00f3n en Bull Dashboard, pero este permanece sin eliminarse incluso despu\u00e9s de cerrar la sesi\u00f3n. Los principales usuarios afectados ser\u00e1n aquellos que hayan iniciado sesi\u00f3n en Misskey utilizando una PC p\u00fablica o el dispositivo de otra persona, pero es posible que los usuarios que hayan cerrado sesi\u00f3n en Misskey antes de prestar su PC a otra persona tambi\u00e9n se vean afectados. La versi\u00f3n 2025.2.0-alpha.0 contiene una soluci\u00f3n para este problema."}], "lastModified": "2025-02-20T15:48:37.877", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CD22A7E-7810-47A9-8B23-6783D9863694", "versionEndIncluding": "2025.1.0", "versionStartIncluding": "12.109.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}