CVE-2025-24897 – This CSRF vulnerability in Misskey's Bull dashb... (How to Fix)

Q: What is the severity of CVE-2025-24897?

CVE-2025-24897 has a CVSS score of 8.2 (HIGH). This CSRF vulnerability in Misskey's Bull dashboard allows attackers to perform unauthorized actions by tricking authenticated users into submitting malicious requests. It affects Misskey instances running versions 12.109.0 through 2025.2.0-alpha.0. Attackers could add arbitrary jobs to the queue system, potentially disrupting service availability and integrity.

📋 TL;DR

This CSRF vulnerability in Misskey's Bull dashboard allows attackers to perform unauthorized actions by tricking authenticated users into submitting malicious requests. It affects Misskey instances running versions 12.109.0 through 2025.2.0-alpha.0. Attackers could add arbitrary jobs to the queue system, potentially disrupting service availability and integrity.

💻 Affected Systems

Products:

Misskey

Versions: 12.109.0 through 2025.2.0-alpha.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with Bull dashboard enabled and accessible.

📦 What is this software?

Misskey by Misskey

View all CVEs affecting Misskey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through job queue manipulation leading to service disruption, data corruption, or unauthorized administrative actions.

🟠

Likely Case

Attackers add malicious jobs to the queue causing service degradation, resource exhaustion, or execution of unauthorized tasks.

🟢

If Mitigated

No impact if proper CSRF protections are implemented and access controls are enforced.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires social engineering to trick authenticated users into visiting malicious pages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.2.0-alpha.0

Vendor Advisory: https://github.com/misskey-dev/misskey/security/advisories/GHSA-38w6-vx8g-67pp

Restart Required: No

Instructions:

1. Update Misskey to version 2025.2.0-alpha.0 or later. 2. Verify the commit 77e421029cb564a97f42b6e41c9edce49f79cecd is included. 3. No restart required for web application updates.

🔧 Temporary Workarounds

WAF Block Queue Directory

all

Block all access to the /queue directory using a web application firewall.

WAF rule: Block requests to path '/queue/*'

🧯 If You Can't Patch

Implement strict access controls to limit Bull dashboard access to trusted networks only.
Deploy CSRF protection middleware for all Bull dashboard endpoints.

🔍 How to Verify

Check if Vulnerable:

Check Misskey version: if between 12.109.0 and 2025.2.0-alpha.0, and Bull dashboard is accessible at /queue.

Check Version:

Check package.json or admin panel for Misskey version.

Verify Fix Applied:

Confirm version is 2025.2.0-alpha.0 or later and verify CSRF tokens are required for Bull dashboard API requests.

📡 Detection & Monitoring

Log Indicators:

Unusual job additions to Bull queue from unexpected IPs or user agents.
Multiple failed CSRF token validations for /queue endpoints.

Network Indicators:

HTTP POST requests to /queue/* endpoints without proper Referer headers or CSRF tokens.

SIEM Query:

source='misskey-logs' AND (path='/queue/*' AND csrf_token='missing' OR csrf_token='invalid')

📊 Metadata

CVE ID: CVE-2025-24897

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L

CWE: CWE-352

EPSS Score: 0.02% exploit probability (5th percentile)

Published: February 11, 2025

Last Updated: November 26, 2025

🔗 References

https://github.com/misskey-dev/misskey/commit/77e421029cb564a97f42b6e41c9edce49f79cecd Patch
https://github.com/misskey-dev/misskey/security/advisories/GHSA-38w6-vx8g-67pp Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24897, you might also want to check these: