CVE-2025-24896
Published: 11 February 2025
Summary
CVE-2025-24896 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Misskey Misskey. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked in the top 49.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-12 requires termination of user sessions upon logout, directly preventing the persistence of the authentication token cookie after logout in Misskey's Bull Dashboard.
SC-23 protects session authenticity and detects hijacking attempts, mitigating unauthorized access via the undeleted token cookie enabling session hijacking.
SI-2 ensures timely identification, reporting, and correction of flaws like the insufficient session expiration in Bull Dashboard, enabling patching to version 2025.2.0-alpha.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability (insufficient session expiration) leaves an authentication token cookie valid after logout, directly enabling extraction of the web session cookie from a device/browser (T1539) and subsequent use of that cookie as alternate authentication material to hijack access to the dashboard (T1550.004).
NVD Description
Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named `token` is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after…
more
logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else's device, but it's possible that users who have logged out of Misskey before lending their PC to someone else could also be affected. Version 2025.2.0-alpha.0 contains a fix for this issue.
Deeper analysisAI
CVE-2025-24896 is a session management vulnerability in the Bull Dashboard component of Misskey, an open source federated social media platform. Affecting versions starting from 12.109.0 and prior to 2025.2.0-alpha.0, the issue stems from a login token named `token`, stored in a cookie for authentication, that persists even after a user logs out. This flaw, classified under CWE-613 (Insufficient Session Expiration), has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), indicating high severity due to its potential for remote exploitation with user interaction.
An attacker can exploit this vulnerability by accessing a victim's browser or device after the victim has logged out of Misskey, such as on a public PC or a shared device lent to someone else. By extracting the undeleted `token` cookie, the attacker can authenticate to the Bull Dashboard over the network without further privileges, achieving high confidentiality and integrity impacts. This enables unauthorized access to potentially sensitive queue management functions, effectively hijacking the session.
The Misskey security advisory (GHSA-w98m-j6hq-cwjm) and the fixing commit (ba9f295ef2bf31cc90fa587e20b9a7655b7a1824) confirm that version 2025.2.0-alpha.0 resolves the issue by properly deleting the token cookie upon logout. Security practitioners should advise Misskey administrators to update to 2025.2.0-alpha.0 or later and recommend users clear browser cookies or avoid shared devices for authentication.
Details
- CWE(s)