CVE-2025-24897

Feb. 11, 2025, 4:15 p.m.

8.2
High

Description

Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, due to a lack of CSRF protection and the lack of proper security attributes in the authentication cookies of Bull's dashboard, some of the APIs of bull-board may be subject to CSRF attacks. There is a risk of this vulnerability being used for attacks with relatively large impact on availability and integrity, such as the ability to add arbitrary jobs. This vulnerability was fixed in 2025.2.0-alpha.0. As a workaround, block all access to the `/queue` directory with a web application firewall (WAF).

Product(s) Impacted

Product Versions
Misskey
  • 12.109.0 - 2025.2.0-alpha.0

Weaknesses

CWE-352
Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://github.com/misskey-dev/misskey/commit/77e421029cb564a97f42b6e41c9edce49f79cecd
https://github.com/misskey-dev/misskey/security/advisories/GHSA-38w6-vx8g-67pp

Tags

security-advisories@github.com
CWE-352
2025-02-11
CVE-2025-24897

CVSS Score

8.2 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: LOW
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L

Date

  • Published: Feb. 11, 2025, 4:15 p.m.
  • Last Modified: Feb. 11, 2025, 4:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.