CVE-2025-24897

CVE-2025-24897 is a cross-site request forgery (CSRF) vulnerability affecting Misskey, an open source federated social media platform. It impacts versions starting from 12.109.0 up to but not including 2025.2.0-alpha.0. The issue arises from a lack of CSRF protection combined with improper security attributes in the authentication cookies of Bull's dashboard, exposing certain bull-board APIs to CSRF attacks. Associated weakness enumerations include CWE-352 (Cross-Site Request Forgery), CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute), and CWE-1275 (Sensitive Cookie in HTTPS Session Without 'HttpOnly' Attribute).

The vulnerability has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction, changed scope, high integrity impact, and low availability impact. An attacker can exploit it by tricking an authenticated user—likely an administrator with access to the Bull dashboard—into interacting with a malicious webpage. This enables CSRF requests to bull-board APIs, allowing the addition of arbitrary jobs that could significantly disrupt availability and integrity.

Misskey fixed the vulnerability in version 2025.2.0-alpha.0. As a workaround, block all access to the /queue directory using a web application firewall (WAF). Additional details are provided in the GitHub security advisory at GHSA-38w6-vx8g-67pp and the fixing commit at 77e421029cb564a97f42b6e41c9edce49f79cecd.