Authentication Token Exposure in Misskey Platform by Misskey Dev
CVE-2025-24896

8.1HIGH

Key Information:

Vendor: Misskey-dev
Status: Misskey
Vendor: CVE Published:; 11 February 2025

🔔 Create Misskey-dev Vulnerability Alert

What is CVE-2025-24896?

The Misskey platform has a vulnerability where the login token, named 'token', remains stored in a cookie even after user logout. This flaw primarily affects users who access Misskey on public or shared devices, as it may expose their authentication credentials to subsequent users of the device. Even those who log out before lending their devices can be at risk if the token is not properly cleared. The issue is resolved in version 2025.2.0-alpha.0, which ensures that tokens are securely managed and deleted upon logout, enhancing user privacy and security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

misskey >= 12.109.0, < 2025.2.0-alpha.0

References

https://github.com/misskey-dev/misskey/security/advisorie...

x_refsource_CONFIRM

https://github.com/misskey-dev/misskey/commit/ba9f295ef2b...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Jan 27, 2025

JSON

Misskey-dev

What is CVE-2025-24896?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.