CVE-2025-24900
Published: 11 February 2025
Summary
CVE-2025-24900 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-23 (Session Authenticity).
Deeper analysis
CVE-2025-24900 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting Concorde, a federated microblogging platform forked from Misskey and formerly known as Nexkey. The issue stems from a lack of CSRF countermeasures and improper cookie settings for MediaProxy authentication, specifically the absence of the SameSite attribute on the authentication cookie in versions prior to 12.25Q1.1. This allows attackers to bypass MediaProxy authentication and load any image without restrictions under certain circumstances. Additionally, in versions prior to 12.24Q2.3, the same cookie authenticates the job queue management page (bull-board), enabling its bypass as well. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
Any unauthenticated attacker with network access can exploit this vulnerability without user interaction, as it requires no privileges and has a changed scope. Successful exploitation allows bypassing MediaProxy restrictions to load arbitrary images, potentially enabling attacks with significant impact on availability and integrity. For affected bull-board versions, attackers gain unauthorized access to job queue management, further amplifying denial-of-service or manipulation risks.
The Concorde maintainers state that affected versions are too old to be covered by the advisory but strongly recommend against their use. Version 12.25Q1.1 includes a patch addressing the SameSite cookie issue for MediaProxy, with an additional fix in a later commit for bull-board authentication. No effective workaround exists other than updating, as detailed in the GitHub security advisory (GHSA-5hgq-9vw8-7v87) and related commits.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3981
Vulnerability details
Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Due to a lack of CSRF countermeasures and improper settings of cookies for MediaProxy authentication, there is a vulnerability that allows MediaProxy authentication to be bypassed.…
more
In versions prior to 12.25Q1.1, the authentication cookie does not have the SameSite attribute. This allows an attacker to bypass MediaProxy authentication and load any image without restrictions under certain circumstances. In versions prior to 12.24Q2.3, this cookie was also used to authenticate the job queue management page (bull-board), so bull-board authentication is also bypassed. This may enable attacks that have a significant impact on availability and integrity. The affected versions are too old to be covered by this advisory, but the maintainers of Concorde strongly recommend not using older versions. Version 12.25Q1.1 contains a patch. There is no effective workaround other than updating.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a CSRF vulnerability in a public-facing web application (Concorde federated platform) that can be directly exploited by unauthenticated remote attackers to bypass authentication controls on MediaProxy and bull-board endpoints, matching the definition of T1190 for exploiting public-facing applications to achieve impacts like availability disruption.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 requires protections for session authenticity, such as anti-CSRF tokens or SameSite cookie attributes, directly addressing the lack of CSRF countermeasures and missing SameSite attribute that enable authentication bypass.
CM-6 mandates secure configuration settings for web applications, including proper cookie attributes like SameSite to prevent CSRF-based authentication bypass for MediaProxy and bull-board.
SI-10 requires validation of information inputs, which can include CSRF token checks to mitigate forged requests bypassing MediaProxy and job queue management authentication.