CVE-2025-24973
Published: 11 February 2025
Summary
CVE-2025-24973 is a critical-severity Insufficient Session Expiration (CWE-613) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked at the 22.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires automatic termination of user sessions upon logout events, ensuring authentication credentials like persistent cookies are cleared to prevent token theft.
Mandates proper management of authenticators including tokens, with requirements to destroy or refresh them upon events like logout, mitigating persistence in browser cookies.
Ensures identification, reporting, and timely patching of flaws such as insufficient session expiration during logout, directly addressing the CVE via software updates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability's insufficient session expiration (CWE-613) allows auth tokens to persist in browser cookies after explicit logout, directly enabling a local attacker to steal valid web session cookies (T1539) from a shared device and use them for impersonation via alternate authentication material (T1550.004).
NVD Description
Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the logout process, authentication credentials remain in cookies even after a user has explicitly logged out,…
more
which may allow an attacker to steal authentication tokens. This could have devastating consequences if a user with admin privileges is (or was) using a shared device. Users who have logged in on a shared device should go to Settings > Security and regenerate their login tokens. Version 12.25Q1.1 fixes the issue. As a workaround, clear cookies and site data in the browser after logging out.
Deeper analysisAI
CVE-2025-24973 is a high-severity authentication vulnerability (CVSS 9.3, CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) stemming from an improper implementation of the logout process in Concorde, a federated microblogging platform forked from Misskey and formerly known as Nexkey. In versions prior to 12.25Q1.1, authentication credentials persist in browser cookies even after a user explicitly logs out, enabling potential theft of these tokens. The issue is classified under CWE-613 (Insufficient Session Expiration).
A local attacker with access to a shared device can exploit this vulnerability by accessing the victim's browser cookies after logout, stealing the authentication tokens without requiring privileges or user interaction. Successful exploitation allows the attacker to impersonate the victim, potentially gaining complete control over the account (high confidentiality, integrity, and availability impact with changed scope). This is particularly severe if the victim holds admin privileges on a shared device, as it could lead to full platform compromise.
The Concorde security advisory (GHSA-2369-p2wh-7cc2) and fixing commit (1f6ac9b289906083b132e4f9667a31a60ef83e4e) confirm that version 12.25Q1.1 resolves the issue. As mitigation, users should upgrade to the patched version; on shared devices, regenerate login tokens via Settings > Security. A workaround involves manually clearing cookies and site data in the browser after logging out.
Details
- CWE(s)