CVE-2025-24900

CVE-2025-24900 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting Concorde, a federated microblogging platform forked from Misskey and formerly known as Nexkey. The issue stems from a lack of CSRF countermeasures and improper cookie settings for MediaProxy authentication, specifically the absence of the SameSite attribute on the authentication cookie in versions prior to 12.25Q1.1. This allows attackers to bypass MediaProxy authentication and load any image without restrictions under certain circumstances. Additionally, in versions prior to 12.24Q2.3, the same cookie authenticates the job queue management page (bull-board), enabling its bypass as well. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

Any unauthenticated attacker with network access can exploit this vulnerability without user interaction, as it requires no privileges and has a changed scope. Successful exploitation allows bypassing MediaProxy restrictions to load arbitrary images, potentially enabling attacks with significant impact on availability and integrity. For affected bull-board versions, attackers gain unauthorized access to job queue management, further amplifying denial-of-service or manipulation risks.

The Concorde maintainers state that affected versions are too old to be covered by the advisory but strongly recommend against their use. Version 12.25Q1.1 includes a patch addressing the SameSite cookie issue for MediaProxy, with an additional fix in a later commit for bull-board authentication. No effective workaround exists other than updating, as detailed in the GitHub security advisory (GHSA-5hgq-9vw8-7v87) and related commits.