CSRF Vulnerability in Concorde MediaProxy Authentication
CVE-2025-24900

8.6HIGH

Key Information:

Vendor

Nexryai

Status
Concorde
Vendor
CVE Published:
11 February 2025

What is CVE-2025-24900?

A CSRF vulnerability in Concorde, a fork of the Misskey platform, stems from missing countermeasures and improper cookie settings for MediaProxy authentication. Specifically, prior to version 12.25Q1.1, the authentication cookie lacked the SameSite attribute, allowing attackers to bypass MediaProxy authentication and potentially load images without restrictions. Older versions also exposed the bull-board management page to unauthenticated access. It is critical for users on outdated versions to upgrade to version 12.25Q1.1, which includes necessary security patches to mitigate these vulnerabilities.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

concorde < 12.25Q1.1

References

https://github.com/nexryai/concorde/security/advisories/G...
x_refsource_CONFIRM
https://github.com/nexryai/concorde/commit/2309b4a292828d...
x_refsource_MISC
https://github.com/nexryai/concorde/commit/f3f54bde6a37ad...
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.