CVE-2025-24896 in Misskeyinfo

Summary

by MITRE • 02/11/2025

Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named `token` is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else's device, but it's possible that users who have logged out of Misskey before lending their PC to someone else could also be affected. Version 2025.2.0-alpha.0 contains a fix for this issue.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/11/2025

The vulnerability described in CVE-2025-24896 represents a critical session management flaw within the Misskey federated social media platform that affects versions between 12.109.0 and 2025.2.0-alpha.0. This issue specifically impacts the Bull Dashboard component where authentication tokens are stored in cookies, creating a persistent security risk that undermines the fundamental principle of proper session termination. The flaw manifests when users log out of the system, yet the authentication token remains accessible in the browser's cookie storage, effectively allowing unauthorized access to accounts that should have been terminated. This vulnerability directly violates security best practices outlined in owasp top ten category a07: identification and authentication failures, as it enables session hijacking through persistent credential storage.

The technical implementation of this vulnerability stems from improper cookie management during the logout process within the Bull Dashboard subsystem. When users perform logout operations, the system fails to explicitly clear or invalidate the authentication token stored in the browser's cookie jar, leaving the token accessible to subsequent users who might access the same device. This represents a classic example of insecure session handling where the application does not properly destroy session identifiers upon user logout, creating a window of opportunity for privilege escalation attacks. The vulnerability specifically affects users who access Misskey through shared or public computing environments, making it particularly dangerous in scenarios where users might lend their devices to others without properly clearing browser sessions.

The operational impact of this vulnerability extends beyond simple unauthorized access to account compromise, potentially enabling a range of malicious activities including data theft, account takeover, and unauthorized posting. Users who have logged out of Misskey before lending their devices to others remain at risk because the authentication token persists in the cookie storage, allowing anyone with access to that device to potentially assume the user's identity. This creates a significant risk for users in shared environments such as libraries, internet cafes, or public computer labs where security hygiene cannot be guaranteed. The vulnerability also impacts the platform's overall security posture by creating potential attack vectors for credential stuffing and session hijacking attacks that could be exploited by threat actors.

Mitigation strategies for this vulnerability should focus on implementing proper session termination procedures that explicitly clear authentication tokens from browser storage upon logout operations. The fix introduced in version 2025.2.0-alpha.0 demonstrates the correct approach by ensuring that the token cookie is properly deleted or invalidated when users log out, preventing unauthorized access to accounts through persistent session data. Organizations should implement comprehensive session management policies that include cookie security attributes such as HttpOnly, Secure, and SameSite flags to prevent cross-site scripting attacks that could exploit this vulnerability. Additionally, the implementation should follow established security frameworks such as those defined in the mitre attack framework under technique t1548.001 for abuse of privileges, ensuring that session management follows security standards like those outlined in iso/iec 27001 for access control management and nist sp 800-53 for session management controls. The vulnerability also highlights the importance of proper input validation and output encoding in web applications, as recommended by the owasp top ten and cwe standards, particularly cwe-614 which addresses sensitive data exposure in cookies.

Responsible

GitHub M

Reservation

01/27/2025

Disclosure

02/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00553

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!