CVE-2025-24973

CVE-2025-24973 is a high-severity authentication vulnerability (CVSS 9.3, CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) stemming from an improper implementation of the logout process in Concorde, a federated microblogging platform forked from Misskey and formerly known as Nexkey. In versions prior to 12.25Q1.1, authentication credentials persist in browser cookies even after a user explicitly logs out, enabling potential theft of these tokens. The issue is classified under CWE-613 (Insufficient Session Expiration).

A local attacker with access to a shared device can exploit this vulnerability by accessing the victim's browser cookies after logout, stealing the authentication tokens without requiring privileges or user interaction. Successful exploitation allows the attacker to impersonate the victim, potentially gaining complete control over the account (high confidentiality, integrity, and availability impact with changed scope). This is particularly severe if the victim holds admin privileges on a shared device, as it could lead to full platform compromise.

The Concorde security advisory (GHSA-2369-p2wh-7cc2) and fixing commit (1f6ac9b289906083b132e4f9667a31a60ef83e4e) confirm that version 12.25Q1.1 resolves the issue. As mitigation, users should upgrade to the patched version; on shared devices, regenerate login tokens via Settings > Security. A workaround involves manually clearing cookies and site data in the browser after logging out.