CVE-2025-62797 Overview
FluxCP is a web-based Control Panel for rAthena Ragnarok Online servers written in PHP. A Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affects the FluxCP-based website template used by multiple rAthena/Ragnarok servers. State-changing POST endpoints accept browser-initiated requests authorized solely by the session cookie. The application does not implement per-request anti-CSRF tokens or robust Origin/Referer header validation. An attacker who lures a logged-in user to an attacker-controlled page can cause that user to perform sensitive actions without their consent. The maintainers fixed the issue in commit e3f130c.
Critical Impact
Authenticated users visiting a malicious page can be forced to execute unintended state-changing operations against their FluxCP account, including actions affecting account integrity and confidentiality.
Affected Products
- FluxCP (rAthena Control Panel) versions prior to commit e3f130c
- rAthena/Ragnarok servers deploying the FluxCP website template
- PHP-based deployments of FluxCP without CSRF protections
Discovery Timeline
- 2025-10-29 - CVE-2025-62797 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-62797
Vulnerability Analysis
The vulnerability stems from FluxCP relying on PHP session cookies as the sole authorization mechanism for state-changing POST endpoints. Browsers automatically attach session cookies to cross-origin requests when SameSite restrictions are absent or permissive. Without anti-CSRF tokens or strict Origin/Referer validation, the server cannot distinguish legitimate user-initiated actions from forged requests originating on attacker-controlled pages.
The FluxCP control panel exposes administrative and account management endpoints over POST. These endpoints accept form submissions without verifying request authenticity. An attacker hosting a malicious form or JavaScript-driven fetch call on a controlled domain can trigger these endpoints when an authenticated user visits the page.
Root Cause
The root cause is the absence of per-request CSRF tokens combined with permissive cookie behavior. FluxCP did not enforce HTTPS-only cookies or set SameSite attributes restricting cross-site cookie transmission. The patch in commit e3f130c introduces ForceHTTPS configuration to harden cookie transport and require a minimum PHP version that supports modern cookie attributes.
Attack Vector
Exploitation requires that a victim is authenticated to a FluxCP instance and visits an attacker-controlled page in the same browser session. The attacker page submits a forged POST request to the FluxCP endpoint. The browser attaches the victim's session cookie, and the server processes the request as if the victim initiated it.
// Patch excerpt from config/application.php
return array(
'ServerAddress' => 'localhost',
'BaseURI' => 'fluxcp',
'ForceHTTPS' => true, // Added: enforce HTTPS transport for cookies
'InstallerPassword' => 'secretpassword',
'RequireOwnership' => true,
);
// Patch excerpt from index.php
if( version_compare( PHP_VERSION, '7.3.0', '<' ) ){
exit(
sprintf(
'FluxCP requires PHP 7.3.0 or higher. You are using PHP %s.',
PHP_VERSION
)
);
}
Source: FluxCP commit e3f130c. The PHP 7.3.0 minimum enables the SameSite cookie attribute, and ForceHTTPS prevents session cookies from traversing plaintext channels.
Detection Methods for CVE-2025-62797
Indicators of Compromise
- POST requests to FluxCP endpoints with Referer or Origin headers pointing to external, non-trusted domains.
- Unexpected account changes, password resets, or administrative actions correlated with off-site browsing activity.
- Session cookies transmitted over HTTP rather than HTTPS in proxy or web server logs.
Detection Strategies
- Inspect web server access logs for state-changing POST requests where the Referer header does not match the FluxCP application origin.
- Correlate user action logs in FluxCP with browser session activity to identify out-of-band requests.
- Review HTML responses served by external sites for embedded forms targeting FluxCP endpoint URLs.
Monitoring Recommendations
- Enable verbose request logging at the web server tier and retain Referer, Origin, and User-Agent metadata.
- Alert on sensitive POST endpoints (account, admin, donation) when invoked without a matching same-origin Referer.
- Audit FluxCP administrative actions against expected operator workflows.
How to Mitigate CVE-2025-62797
Immediate Actions Required
- Update FluxCP to the version containing commit e3f130c or later from the rAthena FluxCP repository.
- Set the ForceHTTPS configuration option to true in config/application.php.
- Ensure the PHP runtime is version 7.3.0 or higher to support SameSite cookie attributes.
- Invalidate active sessions after upgrading to force re-authentication with hardened cookies.
Patch Information
The fix is published in FluxCP commit e3f130c and described in GitHub Security Advisory GHSA-5w2g-8cqq-r4fr. The patch hardens cookie transport, enforces HTTPS, and requires a PHP version that supports modern cookie security attributes. Administrators should pull the latest FluxCP code and merge updated configuration directives.
Workarounds
- Configure the web server to reject POST requests to FluxCP endpoints when the Origin or Referer header does not match the application hostname.
- Set session cookies with SameSite=Strict and Secure attributes at the web server or PHP level until the patch is applied.
- Restrict FluxCP administrative pages to authenticated network segments such as VPN or IP allowlists.
# Example Nginx Referer enforcement for FluxCP POST endpoints
location /fluxcp/ {
if ($request_method = POST) {
set $csrf_ok 0;
if ($http_referer ~* "^https://fluxcp\.example\.com/") {
set $csrf_ok 1;
}
if ($csrf_ok = 0) {
return 403;
}
}
proxy_pass http://php_backend;
}
# PHP session cookie hardening (php.ini)
session.cookie_secure = 1
session.cookie_httponly = 1
session.cookie_samesite = "Strict"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

