CSRF Vulnerability in Misskey's Bull Dashboard Affecting Multiple Versions
CVE-2025-24897
8.2HIGH
What is CVE-2025-24897?
Misskey, an open-source federated social media platform, has a vulnerability in its Bull's dashboard prior to version 2025.2.0-alpha.0 that exposes certain APIs to Cross-Site Request Forgery (CSRF) attacks. This situation arises from insufficient CSRF protection combined with inadequate security attributes in authentication cookies. Attackers could exploit this vulnerability, potentially impacting the integrity and availability of the service by triggering arbitrary jobs. Users are strongly encouraged to update to the latest version to mitigate risks. As an interim solution, they should consider blocking all access to the /queue directory using a web application firewall (WAF).
Affected Version(s)
misskey >= 12.109.0, < 2025.2.0-alpha.0
