CVE-2025-24896 Overview
CVE-2025-24896 is a session management vulnerability affecting Misskey, an open source, federated social media platform. The vulnerability involves improper handling of login tokens during the logout process, where a login token named token stored in a cookie for authentication purposes in Bull Dashboard remains undeleted even after logout is performed. This creates a significant security risk where authentication credentials persist beyond their intended lifecycle.
Critical Impact
Users who have logged into Misskey on shared or public computers remain vulnerable to session hijacking even after logging out, as the authentication token persists in the browser cookie storage.
Affected Products
- Misskey versions 12.109.0 through 2025.2.0-alpha.0 (exclusive)
- Misskey instances using Bull Dashboard authentication
- Self-hosted Misskey deployments with default session management
Discovery Timeline
- 2025-02-11 - CVE-2025-24896 published to NVD
- 2025-02-20 - Last updated in NVD database
Technical Details for CVE-2025-24896
Vulnerability Analysis
This vulnerability is classified under CWE-613 (Insufficient Session Expiration). The core issue lies in the session management implementation where the logout functionality fails to properly invalidate or remove all authentication-related cookies. Specifically, when a user logs out of Misskey, the token cookie used for Bull Dashboard authentication is not cleared, leaving a valid session token accessible in the browser's cookie storage.
The attack can be executed over the network and requires user interaction (such as a victim using a shared computer). If exploited, an attacker could gain unauthorized access to a user's account with high impact on confidentiality and integrity, though availability is not affected.
Root Cause
The root cause of this vulnerability is the incomplete implementation of the logout functionality. The original code removed the account from local storage and cleared internal session data, but failed to explicitly delete the token cookie that Bull Dashboard uses for authentication. This oversight meant that even after a user believed they had securely logged out, a valid authentication token remained stored in the browser.
Attack Vector
The attack scenario primarily affects users who log into Misskey using public computers, shared devices, or borrowed machines. An attacker with subsequent physical access to the same browser can:
- Access the stored token cookie from the browser's cookie storage
- Use this token to authenticate to the Misskey instance
- Gain full access to the victim's account and data
The vulnerability requires no special privileges to exploit and can be performed by any user with access to the browser after the victim has logged out.
// Security patch from packages/frontend/src/account.ts
// Source: https://github.com/misskey-dev/misskey/commit/ba9f295ef2bf31cc90fa587e20b9a7655b7a1824
if (!$i) return;
waiting();
+ document.cookie.split(';').forEach((cookie) => {
+ const cookieName = cookie.split('=')[0].trim();
+ if (cookieName === 'token') {
+ document.cookie = `${cookieName}=; max-age=0; path=/`;
+ }
+ });
miLocalStorage.removeItem('account');
await removeAccount($i.id);
const accounts = await getAccounts();
The patch explicitly iterates through all cookies and removes the token cookie by setting its max-age to 0, ensuring complete session cleanup during logout.
Detection Methods for CVE-2025-24896
Indicators of Compromise
- Presence of token cookie in browser storage after user logout operations
- Multiple authentication attempts from the same browser session with different source IPs
- Unusual account activity following logout events from shared or public networks
- Session tokens persisting beyond expected session lifecycle
Detection Strategies
- Monitor for authentication attempts using tokens that should have been invalidated
- Implement logging for all logout operations and track whether token cleanup completed successfully
- Audit browser cookie policies and review session management configurations
- Deploy anomaly detection for account access patterns following logout events
Monitoring Recommendations
- Enable verbose logging for authentication and session management functions
- Monitor for multiple account accesses from the same browser session token
- Track geographical and IP-based anomalies in post-logout authentication attempts
- Review Bull Dashboard access logs for suspicious authentication patterns
How to Mitigate CVE-2025-24896
Immediate Actions Required
- Upgrade Misskey to version 2025.2.0-alpha.0 or later immediately
- Advise users who have logged into Misskey on shared computers to clear browser cookies manually
- Review session management configurations and ensure proper token invalidation
- Force logout of all active sessions if compromise is suspected
Patch Information
The vulnerability is fixed in Misskey version 2025.2.0-alpha.0. The fix is available in commit ba9f295ef2bf31cc90fa587e20b9a7655b7a1824. Administrators should update their Misskey instances immediately to receive the security patch.
For detailed information about the security fix, refer to the GitHub Security Advisory and the GitHub Commit Changes.
Workarounds
- Users should manually clear browser cookies after logging out, especially on shared devices
- Administrators can implement custom logout handlers that explicitly clear all authentication cookies
- Consider using browser private/incognito mode when accessing Misskey on shared computers
- Deploy browser policies that automatically clear cookies on session end for public terminals
# Manual cookie cleanup workaround
# Users can clear cookies from command line (example for development/testing)
# Clear all cookies for the Misskey domain in browser developer tools:
# Application > Cookies > Select domain > Delete 'token' cookie
# For server administrators using reverse proxy (nginx example):
# Add header to force cookie deletion on logout endpoint
# location /api/signout {
# add_header Set-Cookie "token=; Max-Age=0; Path=/; HttpOnly; Secure";
# proxy_pass http://misskey_backend;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
