CVE-2025-21611

CVE-2025-21611 is an improper authorization vulnerability (CWE-285) in tgstation-server, a production-scale tool for managing BYOND servers. In versions prior to 6.12.3, the authorization logic for API methods incorrectly used an OR operation instead of an AND operation when combining roles for authorization with the role determining user enablement. This flaw enables users who are marked as enabled to bypass intended permission checks for most authorized actions, though not all endpoints are affected.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, and low privileges required. An authenticated attacker with an enabled account but lacking specific permissions can exploit this over the network without user interaction to gain unauthorized access to sensitive API functions, potentially reading confidential data, modifying server configurations, or disrupting operations. However, the WriteUsers permission remains unaffected, preventing permanent privilege escalation on user accounts.

Mitigation is available via upgrade to tgstation-server version 6.12.3, which corrects the authorization logic as detailed in the project's GitHub security advisory (GHSA-rf5r-q276-vrc4), issue tracker (#2064), and the fixing commit (e7b1189620baaf03c2d23f6e164d07c7c7d87d57). Security practitioners managing BYOND server infrastructure should prioritize patching enabled user accounts to prevent unauthorized API access.