Cyber Resilience

CVE-2025-24973

Critical

Published: 11 February 2025

Published
11 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0008 23.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24973 is a critical-severity Insufficient Session Expiration (CWE-613) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked at the 23.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-24973 is a high-severity authentication vulnerability (CVSS 9.3, CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) stemming from an improper implementation of the logout process in Concorde, a federated microblogging platform forked from Misskey and formerly known as Nexkey. In versions prior to 12.25Q1.1, authentication credentials persist in browser cookies even after a user explicitly logs out, enabling potential theft of these tokens. The issue is classified under CWE-613 (Insufficient Session Expiration).

A local attacker with access to a shared device can exploit this vulnerability by accessing the victim's browser cookies after logout, stealing the authentication tokens without requiring privileges or user interaction. Successful exploitation allows the attacker to impersonate the victim, potentially gaining complete control over the account (high confidentiality, integrity, and availability impact with changed scope). This is particularly severe if the victim holds admin privileges on a shared device, as it could lead to full platform compromise.

The Concorde security advisory (GHSA-2369-p2wh-7cc2) and fixing commit (1f6ac9b289906083b132e4f9667a31a60ef83e4e) confirm that version 12.25Q1.1 resolves the issue. As mitigation, users should upgrade to the patched version; on shared devices, regenerate login tokens via Settings > Security. A workaround involves manually clearing cookies and site data in the browser after logging out.

EU & UK References

Vulnerability details

Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the logout process, authentication credentials remain in cookies even after a user has explicitly logged out,…

more

which may allow an attacker to steal authentication tokens. This could have devastating consequences if a user with admin privileges is (or was) using a shared device. Users who have logged in on a shared device should go to Settings > Security and regenerate their login tokens. Version 12.25Q1.1 fixes the issue. As a workaround, clear cookies and site data in the browser after logging out.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

The vulnerability's insufficient session expiration (CWE-613) allows auth tokens to persist in browser cookies after explicit logout, directly enabling a local attacker to steal valid web session cookies (T1539) from a shared device and use them for impersonation via alternate authentication material (T1550.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24896Shared CWE-613
CVE-2024-45386Shared CWE-613
CVE-2026-25476Shared CWE-613
CVE-2026-34828Shared CWE-613
CVE-2025-22386Shared CWE-613
CVE-2025-36377Shared CWE-613
CVE-2025-57735Shared CWE-613
CVE-2024-13996Shared CWE-613
CVE-2025-59786Shared CWE-613
CVE-2026-44511Shared CWE-613

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires automatic termination of user sessions upon logout events, ensuring authentication credentials like persistent cookies are cleared to prevent token theft.

prevent

Mandates proper management of authenticators including tokens, with requirements to destroy or refresh them upon events like logout, mitigating persistence in browser cookies.

prevent

Ensures identification, reporting, and timely patching of flaws such as insufficient session expiration during logout, directly addressing the CVE via software updates.

References