Unrated severityNVD Advisory· Published Feb 11, 2025· Updated Feb 12, 2025

Misskey allows token to remain valid in cookie after signing out

CVE-2025-24896

Description

Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named token is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else's device, but it's possible that users who have logged out of Misskey before lending their PC to someone else could also be affected. Version 2025.2.0-alpha.0 contains a fix for this issue.

Affected products

Misskey Dev/Misskeyv5
Range: >= 12.109.0, < 2025.2.0-alpha.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/misskey-dev/misskey/commit/ba9f295ef2bf31cc90fa587e20b9a7655b7a1824mitrex_refsource_MISC
github.com/misskey-dev/misskey/security/advisories/GHSA-w98m-j6hq-cwjmmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000