CVE-2025-24896

CVE-2025-24896 is a session management vulnerability in the Bull Dashboard component of Misskey, an open source federated social media platform. Affecting versions starting from 12.109.0 and prior to 2025.2.0-alpha.0, the issue stems from a login token named `token`, stored in a cookie for authentication, that persists even after a user logs out. This flaw, classified under CWE-613 (Insufficient Session Expiration), has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), indicating high severity due to its potential for remote exploitation with user interaction.

An attacker can exploit this vulnerability by accessing a victim's browser or device after the victim has logged out of Misskey, such as on a public PC or a shared device lent to someone else. By extracting the undeleted `token` cookie, the attacker can authenticate to the Bull Dashboard over the network without further privileges, achieving high confidentiality and integrity impacts. This enables unauthorized access to potentially sensitive queue management functions, effectively hijacking the session.

The Misskey security advisory (GHSA-w98m-j6hq-cwjm) and the fixing commit (ba9f295ef2bf31cc90fa587e20b9a7655b7a1824) confirm that version 2025.2.0-alpha.0 resolves the issue by properly deleting the token cookie upon logout. Security practitioners should advise Misskey administrators to update to 2025.2.0-alpha.0 or later and recommend users clear browser cookies or avoid shared devices for authentication.