CVE-2025-21611
📋 TL;DR
tgstation-server versions before 6.12.3 have an authorization bypass vulnerability where role permissions were incorrectly combined using OR logic instead of AND logic. This allows enabled users to access most API methods they shouldn't have permission for, potentially performing unauthorized actions. The vulnerability affects all deployments using tgstation-server for BYOND server management.
💻 Affected Systems
- tgstation-server
📦 What is this software?
Tgstation Server by Tgstation13
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users could modify server configurations, deploy code changes, manipulate game instances, or disrupt operations by accessing administrative API endpoints they shouldn't have permissions for.
Likely Case
Users with limited permissions could perform actions beyond their intended scope, such as restarting servers, modifying configurations, or accessing sensitive data through the API.
If Mitigated
With proper network segmentation and API access controls, impact would be limited to unauthorized actions within the user's existing access scope, though still violating principle of least privilege.
🎯 Exploit Status
Exploitation requires valid user credentials but minimal technical skill. Attackers need to understand the API structure to identify unauthorized actions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.12.3
Vendor Advisory: https://github.com/tgstation/tgstation-server/security/advisories/GHSA-rf5r-q276-vrc4
Restart Required: No
Instructions:
1. Backup current configuration and data. 2. Stop tgstation-server service. 3. Update to version 6.12.3 using your deployment method (Docker, manual install, etc.). 4. Restart the service. 5. Verify functionality.
🔧 Temporary Workarounds
Temporary Role Restriction
allTemporarily restrict all user roles to minimal permissions while awaiting patch
🧯 If You Can't Patch
- Implement strict network access controls to limit tgstation-server API access to trusted IPs only
- Audit and reduce user permissions to absolute minimum required for operations
🔍 How to Verify
Check if Vulnerable:
Check tgstation-server version via web interface or configuration file. If version is below 6.12.3, system is vulnerable.Check Version:
Check web interface or configuration file for version numberVerify Fix Applied:
After updating, verify version is 6.12.3 or higher and test that users cannot access API endpoints beyond their assigned permissions.📡 Detection & Monitoring
Log Indicators:
- Unusual API access patterns from users
- Users accessing endpoints not matching their role permissions
- Failed authorization attempts followed by successful access
Network Indicators:
- API requests to administrative endpoints from non-admin users
- Increased API traffic from individual users
SIEM Query:
tgstation-server logs where user_role != required_role AND action=success