How severe is CVE-2025-24896?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.1 out of 10.

What type of vulnerability is CVE-2025-24896?

This is classified as CWE-613, which is a common weakness in software security.

CVE-2025-24896 - HIGH Severity | CVSS 8.1

Vulnerability Description

Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named `token` is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else's device, but it's possible that users who have logged out of Misskey before lending their PC to someone else could also be affected. Version 2025.2.0-alpha.0 contains a fix for this issue.

Related Vulnerabilities

CVE-2009-20001

HIGH

CVSS:8.1(High)

An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and activ...

CWE-6132009

CVE-2017-11667

HIGH

CVSS:8.1(High)

OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session.

CWE-6132017

CVE-2018-1127

HIGH

CVSS:8.1(High)

Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Session tokens remain active for a few minutes allowing attackers to replay tokens ...

CWE-6132018

CVE-2019-1003049

HIGH

CVSS:8.1(High)

Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earli...

CWE-6132019

CVE-2020-13299

HIGH

CVSS:8.1(High)

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session.

CWE-6132020

CVE-2020-23140

HIGH

CVSS:8.1(High)

Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does...

CWE-6132020