Authentication Token Exposure in Concorde by Nexkey
CVE-2025-24973

9.4CRITICAL

Key Information:

Vendor: Nexryai
Status: Concorde
Vendor: CVE Published:; 11 February 2025

What is CVE-2025-24973?

Concorde, a fork of the Misskey microblogging platform, has a security flaw in its logout process. Users who logged out prior to version 12.25Q1.1 may find that their authentication credentials remain in cookies, making it possible for attackers to steal these tokens. This scenario poses a risk, particularly for users with admin permissions on shared devices. To mitigate risk, users should clear cookies and site data from their browsers after logging out and regenerate their login tokens in the account settings.

Affected Version(s)

concorde < 12.25Q1.1

References

https://github.com/nexryai/concorde/security/advisories/G...

x_refsource_CONFIRM

https://github.com/nexryai/concorde/commit/1f6ac9b2899060...

x_refsource_MISC

CVSS V3.1

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Jan 29, 2025

Nexryai

What is CVE-2025-24973?

Affected Version(s)

References

CVSS V3.1

Timeline