Cross-Site Request Forgery Vulnerability in FluxCP for rAthena Servers by rAthena
CVE-2025-62797

8.6HIGH

Key Information:

Vendor: Rathena
Status: Fluxcp
Vendor: CVE Published:; 29 October 2025

What is CVE-2025-62797?

FluxCP, a web-based control panel for rAthena servers, is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability. This security flaw allows attackers to exploit specific state-changing POST requests that are authenticated solely by session cookies, lacking essential anti-CSRF tokens or adequate Origin/Referer validation. If a logged-in user unwittingly visits a malicious page, the attacker can trigger sensitive actions on the server without the user's consent. This vulnerability was addressed in the commit e3f130c.

Affected Version(s)

FluxCP < e3f130c4a2ccd615a3ee2ee0302ecbfbd84747e6

References

https://github.com/rathena/FluxCP/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/rathena/FluxCP/commit/e3f130c4a2ccd615...

x_refsource_MISC

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 29, 2025
Vulnerability Reserved
Oct 22, 2025

JSON

Rathena

What is CVE-2025-62797?

Affected Version(s)

References

CVSS V4

Timeline