CVE-2025-24896 – Misskey versions 12.109.0 through 2025.2.0-alph... (How to Fix)

Q: What is the severity of CVE-2025-24896?

CVE-2025-24896 has a CVSS score of 8.1 (HIGH). Misskey versions 12.109.0 through 2025.2.0-alpha.0 fail to delete authentication tokens from cookies after logout, allowing session persistence. This primarily affects users who log in from shared or public computers, potentially enabling unauthorized access to their accounts even after they've logged out.

📋 TL;DR

Misskey versions 12.109.0 through 2025.2.0-alpha.0 fail to delete authentication tokens from cookies after logout, allowing session persistence. This primarily affects users who log in from shared or public computers, potentially enabling unauthorized access to their accounts even after they've logged out.

💻 Affected Systems

Products:

Misskey

Versions: 12.109.0 through 2025.2.0-alpha.0 (excluding 2025.2.0-alpha.0)

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Bull Dashboard authentication; requires users to log in from shared devices to be exploitable.

📦 What is this software?

Misskey by Misskey

View all CVEs affecting Misskey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains unauthorized access to a user's Misskey account on a shared device, potentially compromising private messages, administrative functions, and federated social media interactions.

🟠

Likely Case

Subsequent users of a shared computer could access the previous user's Misskey session, viewing private content and performing actions as that user.

🟢

If Mitigated

With proper session management controls and user awareness, the risk is limited to specific shared device scenarios.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires physical or remote access to a device where a user previously logged in and didn't clear cookies manually.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.2.0-alpha.0

Vendor Advisory: https://github.com/misskey-dev/misskey/security/advisories/GHSA-w98m-j6hq-cwjm

Restart Required: No

Instructions:

1. Update Misskey to version 2025.2.0-alpha.0 or later. 2. Apply the commit ba9f295ef2bf31cc90fa587e20b9a7655b7a1824 if manually patching. 3. No restart required for the fix to take effect.

🔧 Temporary Workarounds

Manual Cookie Deletion

all

Users should manually clear browser cookies after logging out from shared devices.

Disable Bull Dashboard

all

Temporarily disable Bull Dashboard if not required, reducing the attack surface.

🧯 If You Can't Patch

Implement strict access controls on shared devices and enforce manual cookie clearing policies.
Monitor authentication logs for unusual session activity and implement alerting for multiple logins from the same device.

🔍 How to Verify

Check if Vulnerable:

Check if the Misskey version is between 12.109.0 and 2025.2.0-alpha.0 (exclusive) and Bull Dashboard is enabled.

Check Version:

Check the Misskey instance's version via admin panel or API endpoint.

Verify Fix Applied:

After updating, verify that the 'token' cookie is properly deleted upon logout by inspecting browser cookies.

📡 Detection & Monitoring

Log Indicators:

Multiple successful logins from the same device/IP without fresh authentication
Session tokens persisting beyond logout events

Network Indicators:

Unauthorized requests using previously valid session tokens

SIEM Query:

source="misskey" AND (event="login" OR event="logout") | stats count by user, device_id | where count > 1

📊 Metadata

CVE ID: CVE-2025-24896

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-613

EPSS Score: 0.13% exploit probability (33.3th percentile)

Published: February 11, 2025

Last Updated: February 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24896, you might also want to check these: