Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-62797

CVE-2025-62797: FluxCP Control Panel CSRF Vulnerability

CVE-2025-62797 is a critical CSRF vulnerability in FluxCP Control Panel for rAthena servers that lets attackers trick logged-in users into performing unintended actions. This article covers technical details, impact, and mitigation.

Updated:

CVE-2025-62797 Overview

FluxCP is a web-based Control Panel for rAthena Ragnarok Online servers written in PHP. A Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affects the FluxCP-based website template used by multiple rAthena/Ragnarok servers. State-changing POST endpoints accept browser-initiated requests authorized solely by the session cookie. The application does not implement per-request anti-CSRF tokens or robust Origin/Referer header validation. An attacker who lures a logged-in user to an attacker-controlled page can cause that user to perform sensitive actions without their consent. The maintainers fixed the issue in commit e3f130c.

Critical Impact

Authenticated users visiting a malicious page can be forced to execute unintended state-changing operations against their FluxCP account, including actions affecting account integrity and confidentiality.

Affected Products

  • FluxCP (rAthena Control Panel) versions prior to commit e3f130c
  • rAthena/Ragnarok servers deploying the FluxCP website template
  • PHP-based deployments of FluxCP without CSRF protections

Discovery Timeline

  • 2025-10-29 - CVE-2025-62797 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-62797

Vulnerability Analysis

The vulnerability stems from FluxCP relying on PHP session cookies as the sole authorization mechanism for state-changing POST endpoints. Browsers automatically attach session cookies to cross-origin requests when SameSite restrictions are absent or permissive. Without anti-CSRF tokens or strict Origin/Referer validation, the server cannot distinguish legitimate user-initiated actions from forged requests originating on attacker-controlled pages.

The FluxCP control panel exposes administrative and account management endpoints over POST. These endpoints accept form submissions without verifying request authenticity. An attacker hosting a malicious form or JavaScript-driven fetch call on a controlled domain can trigger these endpoints when an authenticated user visits the page.

Root Cause

The root cause is the absence of per-request CSRF tokens combined with permissive cookie behavior. FluxCP did not enforce HTTPS-only cookies or set SameSite attributes restricting cross-site cookie transmission. The patch in commit e3f130c introduces ForceHTTPS configuration to harden cookie transport and require a minimum PHP version that supports modern cookie attributes.

Attack Vector

Exploitation requires that a victim is authenticated to a FluxCP instance and visits an attacker-controlled page in the same browser session. The attacker page submits a forged POST request to the FluxCP endpoint. The browser attaches the victim's session cookie, and the server processes the request as if the victim initiated it.

php
// Patch excerpt from config/application.php
return array(
    'ServerAddress'       => 'localhost',
    'BaseURI'             => 'fluxcp',
    'ForceHTTPS'          => true,   // Added: enforce HTTPS transport for cookies
    'InstallerPassword'   => 'secretpassword',
    'RequireOwnership'    => true,
);

// Patch excerpt from index.php
if( version_compare( PHP_VERSION, '7.3.0', '<' ) ){
    exit(
        sprintf(
            'FluxCP requires PHP 7.3.0 or higher. You are using PHP %s.',
            PHP_VERSION
        )
    );
}

Source: FluxCP commit e3f130c. The PHP 7.3.0 minimum enables the SameSite cookie attribute, and ForceHTTPS prevents session cookies from traversing plaintext channels.

Detection Methods for CVE-2025-62797

Indicators of Compromise

  • POST requests to FluxCP endpoints with Referer or Origin headers pointing to external, non-trusted domains.
  • Unexpected account changes, password resets, or administrative actions correlated with off-site browsing activity.
  • Session cookies transmitted over HTTP rather than HTTPS in proxy or web server logs.

Detection Strategies

  • Inspect web server access logs for state-changing POST requests where the Referer header does not match the FluxCP application origin.
  • Correlate user action logs in FluxCP with browser session activity to identify out-of-band requests.
  • Review HTML responses served by external sites for embedded forms targeting FluxCP endpoint URLs.

Monitoring Recommendations

  • Enable verbose request logging at the web server tier and retain Referer, Origin, and User-Agent metadata.
  • Alert on sensitive POST endpoints (account, admin, donation) when invoked without a matching same-origin Referer.
  • Audit FluxCP administrative actions against expected operator workflows.

How to Mitigate CVE-2025-62797

Immediate Actions Required

  • Update FluxCP to the version containing commit e3f130c or later from the rAthena FluxCP repository.
  • Set the ForceHTTPS configuration option to true in config/application.php.
  • Ensure the PHP runtime is version 7.3.0 or higher to support SameSite cookie attributes.
  • Invalidate active sessions after upgrading to force re-authentication with hardened cookies.

Patch Information

The fix is published in FluxCP commit e3f130c and described in GitHub Security Advisory GHSA-5w2g-8cqq-r4fr. The patch hardens cookie transport, enforces HTTPS, and requires a PHP version that supports modern cookie security attributes. Administrators should pull the latest FluxCP code and merge updated configuration directives.

Workarounds

  • Configure the web server to reject POST requests to FluxCP endpoints when the Origin or Referer header does not match the application hostname.
  • Set session cookies with SameSite=Strict and Secure attributes at the web server or PHP level until the patch is applied.
  • Restrict FluxCP administrative pages to authenticated network segments such as VPN or IP allowlists.
bash
# Example Nginx Referer enforcement for FluxCP POST endpoints
location /fluxcp/ {
    if ($request_method = POST) {
        set $csrf_ok 0;
        if ($http_referer ~* "^https://fluxcp\.example\.com/") {
            set $csrf_ok 1;
        }
        if ($csrf_ok = 0) {
            return 403;
        }
    }
    proxy_pass http://php_backend;
}

# PHP session cookie hardening (php.ini)
session.cookie_secure = 1
session.cookie_httponly = 1
session.cookie_samesite = "Strict"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.