How severe is CVE-2025-24973?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.3 out of 10.

What type of vulnerability is CVE-2025-24973?

This is classified as CWE-613, which is a common weakness in software security.

CVE-2025-24973 - CRITICAL Severity | CVSS 9.3

Vulnerability Description

Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the logout process, authentication credentials remain in cookies even after a user has explicitly logged out, which may allow an attacker to steal authentication tokens. This could have devastating consequences if a user with admin privileges is (or was) using a shared device. Users who have logged in on a shared device should go to Settings > Security and regenerate their login tokens. Version 12.25Q1.1 fixes the issue. As a workaround, clear cookies and site data in the browser after logging out.

Related Vulnerabilities

CVE-2021-3144

CRITICAL

CVSS:9.1(Critical)

In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)

CWE-6132021

CVE-2021-35034

CRITICAL

CVSS:9.1(Critical)

An insufficient session expiration vulnerability in the CGI program of the Zyxel NBG6604 firmware could allow a remote attacker to access the device if the correct token can be intercepted.

CWE-6132021

CVE-2021-35473

CRITICAL

CVSS:9.1(Critical)

An issue was discovered in LemonLDAP::NG before 2.0.12. There is a missing expiration check in the OAuth2.0 handler, i.e., it does not verify access token validity. An attacker can use a expired acces...

CWE-6132021

CVE-2021-42545

CRITICAL

CVSS:9.1(Critical)

An insufficient session expiration vulnerability exists in Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27, which allows a remote attacker to reuse, spoof, or steal other user and ad...

CWE-6132021

CVE-2022-2064

CRITICAL

CVSS:9.1(Critical)

Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+.

CWE-6132022

CVE-2022-24042

CRITICAL

CVSS:9.1(Critical)

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All ve...

CWE-6132022