CSRF Vulnerability in Concorde MediaProxy Authentication
CVE-2025-24900

8.6HIGH

Key Information:

Vendor: Nexryai
Status: Concorde
Vendor: CVE Published:; 11 February 2025

What is CVE-2025-24900?

A CSRF vulnerability in Concorde, a fork of the Misskey platform, stems from missing countermeasures and improper cookie settings for MediaProxy authentication. Specifically, prior to version 12.25Q1.1, the authentication cookie lacked the SameSite attribute, allowing attackers to bypass MediaProxy authentication and potentially load images without restrictions. Older versions also exposed the bull-board management page to unauthenticated access. It is critical for users on outdated versions to upgrade to version 12.25Q1.1, which includes necessary security patches to mitigate these vulnerabilities.

Affected Version(s)

concorde < 12.25Q1.1

References

https://github.com/nexryai/concorde/security/advisories/G...

x_refsource_CONFIRM

https://github.com/nexryai/concorde/commit/2309b4a292828d...

x_refsource_MISC

https://github.com/nexryai/concorde/commit/f3f54bde6a37ad...

x_refsource_MISC

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Jan 27, 2025

Nexryai

What is CVE-2025-24900?

Affected Version(s)

References

CVSS V3.1

Timeline