CVE-2025-21611
Published: 06 January 2025
Summary
CVE-2025-21611 is a high-severity Improper Authorization (CWE-285) vulnerability in Tgstation13 Tgstation-Server. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 46.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates enforcement of approved authorizations for API access, directly addressing the flawed logic that OR'd roles instead of AND'ing them with user enablement status.
Requires timely remediation of the specific authorization flaw via patching to tgstation-server version 6.12.3.
Enforces least privilege to limit the scope of unauthorized actions accessible to enabled users lacking proper roles.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public API allows low-priv enabled accounts to perform unauthorized high-impact actions via flawed role logic.
NVD Description
tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users…
more
access to most, but not all, authorized actions regardless of their permissions. Notably, the WriteUsers right is unaffected so users may not use this bug to permanently elevate their account permissions. The fix is release in tgstation-server-v6.12.3.
Deeper analysisAI
CVE-2025-21611 is an improper authorization vulnerability (CWE-285) in tgstation-server, a production-scale tool for managing BYOND servers. In versions prior to 6.12.3, the authorization logic for API methods incorrectly used an OR operation instead of an AND operation when combining roles for authorization with the role determining user enablement. This flaw enables users who are marked as enabled to bypass intended permission checks for most authorized actions, though not all endpoints are affected.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, and low privileges required. An authenticated attacker with an enabled account but lacking specific permissions can exploit this over the network without user interaction to gain unauthorized access to sensitive API functions, potentially reading confidential data, modifying server configurations, or disrupting operations. However, the WriteUsers permission remains unaffected, preventing permanent privilege escalation on user accounts.
Mitigation is available via upgrade to tgstation-server version 6.12.3, which corrects the authorization logic as detailed in the project's GitHub security advisory (GHSA-rf5r-q276-vrc4), issue tracker (#2064), and the fixing commit (e7b1189620baaf03c2d23f6e164d07c7c7d87d57). Security practitioners managing BYOND server infrastructure should prioritize patching enabled user accounts to prevent unauthorized API access.
Details
- CWE(s)