Cyber Resilience

CVE-2025-24900

High

Published: 11 February 2025

Published
11 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0010 28.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24900 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2025-24900 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting Concorde, a federated microblogging platform forked from Misskey and formerly known as Nexkey. The issue stems from a lack of CSRF countermeasures and improper cookie settings for MediaProxy authentication, specifically the absence of the SameSite attribute on the authentication cookie in versions prior to 12.25Q1.1. This allows attackers to bypass MediaProxy authentication and load any image without restrictions under certain circumstances. Additionally, in versions prior to 12.24Q2.3, the same cookie authenticates the job queue management page (bull-board), enabling its bypass as well. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

Any unauthenticated attacker with network access can exploit this vulnerability without user interaction, as it requires no privileges and has a changed scope. Successful exploitation allows bypassing MediaProxy restrictions to load arbitrary images, potentially enabling attacks with significant impact on availability and integrity. For affected bull-board versions, attackers gain unauthorized access to job queue management, further amplifying denial-of-service or manipulation risks.

The Concorde maintainers state that affected versions are too old to be covered by the advisory but strongly recommend against their use. Version 12.25Q1.1 includes a patch addressing the SameSite cookie issue for MediaProxy, with an additional fix in a later commit for bull-board authentication. No effective workaround exists other than updating, as detailed in the GitHub security advisory (GHSA-5hgq-9vw8-7v87) and related commits.

EU & UK References

Vulnerability details

Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Due to a lack of CSRF countermeasures and improper settings of cookies for MediaProxy authentication, there is a vulnerability that allows MediaProxy authentication to be bypassed.…

more

In versions prior to 12.25Q1.1, the authentication cookie does not have the SameSite attribute. This allows an attacker to bypass MediaProxy authentication and load any image without restrictions under certain circumstances. In versions prior to 12.24Q2.3, this cookie was also used to authenticate the job queue management page (bull-board), so bull-board authentication is also bypassed. This may enable attacks that have a significant impact on availability and integrity. The affected versions are too old to be covered by this advisory, but the maintainers of Concorde strongly recommend not using older versions. Version 12.25Q1.1 contains a patch. There is no effective workaround other than updating.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a CSRF vulnerability in a public-facing web application (Concorde federated platform) that can be directly exploited by unauthenticated remote attackers to bypass authentication controls on MediaProxy and bull-board endpoints, matching the definition of T1190 for exploiting public-facing applications to achieve impacts like availability disruption.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2025-23558Shared CWE-352
CVE-2025-68722Shared CWE-352
CVE-2025-31440Shared CWE-352
CVE-2025-23848Shared CWE-352
CVE-2025-22571Shared CWE-352
CVE-2024-53684Shared CWE-352
CVE-2025-23455Shared CWE-352
CVE-2025-22582Shared CWE-352

Affected Assets

In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires protections for session authenticity, such as anti-CSRF tokens or SameSite cookie attributes, directly addressing the lack of CSRF countermeasures and missing SameSite attribute that enable authentication bypass.

prevent

CM-6 mandates secure configuration settings for web applications, including proper cookie attributes like SameSite to prevent CSRF-based authentication bypass for MediaProxy and bull-board.

prevent

SI-10 requires validation of information inputs, which can include CSRF token checks to mitigate forged requests bypassing MediaProxy and job queue management authentication.

References