CVE-2025-24897
Published: 11 February 2025
Summary
CVE-2025-24897 is a high-severity CSRF (CWE-352) vulnerability in Misskey Misskey. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires mechanisms to protect session authenticity, directly mitigating CSRF attacks by preventing forged cross-site requests to bull-board APIs.
IA-5 ensures proper management of authenticators including security attributes like Secure and HttpOnly on authentication cookies, addressing the improper cookie configurations exploited in this CVE.
SC-7 enables boundary protection via WAF to block access to the vulnerable /queue directory, serving as the recommended workaround to prevent exploitation of the CSRF-vulnerable APIs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in the public-facing Misskey web application's bull-board APIs (exposed /queue paths) enables exploitation without privileges to trick authenticated users into performing actions like adding arbitrary jobs, impacting integrity and availability.
NVD Description
Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, due to a lack of CSRF protection and the lack of proper security attributes in the authentication cookies of Bull's dashboard, some…
more
of the APIs of bull-board may be subject to CSRF attacks. There is a risk of this vulnerability being used for attacks with relatively large impact on availability and integrity, such as the ability to add arbitrary jobs. This vulnerability was fixed in 2025.2.0-alpha.0. As a workaround, block all access to the `/queue` directory with a web application firewall (WAF).
Deeper analysisAI
CVE-2025-24897 is a cross-site request forgery (CSRF) vulnerability affecting Misskey, an open source federated social media platform. It impacts versions starting from 12.109.0 up to but not including 2025.2.0-alpha.0. The issue arises from a lack of CSRF protection combined with improper security attributes in the authentication cookies of Bull's dashboard, exposing certain bull-board APIs to CSRF attacks. Associated weakness enumerations include CWE-352 (Cross-Site Request Forgery), CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute), and CWE-1275 (Sensitive Cookie in HTTPS Session Without 'HttpOnly' Attribute).
The vulnerability has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction, changed scope, high integrity impact, and low availability impact. An attacker can exploit it by tricking an authenticated user—likely an administrator with access to the Bull dashboard—into interacting with a malicious webpage. This enables CSRF requests to bull-board APIs, allowing the addition of arbitrary jobs that could significantly disrupt availability and integrity.
Misskey fixed the vulnerability in version 2025.2.0-alpha.0. As a workaround, block all access to the /queue directory using a web application firewall (WAF). Additional details are provided in the GitHub security advisory at GHSA-38w6-vx8g-67pp and the fixing commit at 77e421029cb564a97f42b6e41c9edce49f79cecd.
Details
- CWE(s)