CVE-2025-24896

Published: Feb 11, 2025

Modified: Feb 12, 2025

PUBLISHED

CVSS v3.1

8.1

HIGH

Description

Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named `token` is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else's device, but it's possible that users who have logged out of Misskey before lending their PC to someone else could also be affected. Version 2025.2.0-alpha.0 contains a fix for this issue.

Vendor	Product	Versions
misskey-dev	misskey	affected `>= 12.109.0, < 2025.2.0-alpha.0`

Weaknesses (CWE)

CWE-613

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/misskey-dev/misskey/security/advisories/GHSA-w98m-j6hq-cwjm

x_refsource_CONFIRM

https://github.com/misskey-dev/misskey/commit/ba9f295ef2bf31cc90fa587e20b9a7655b7a1824

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-24896

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References