Strix
26.1K

CVE-2025-21611

HIGHCVSS 8.8/10EPSS 0.45%

Last modified

CVE-2025-21611 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. EPSS estimates a 0.45% chance of exploitation in the next 30 days.

Description

tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions regardless of their permissions. Notably, the WriteUsers right is unaffected so users may not use this bug to permanently elevate their account permissions. The fix is release in tgstation-server-v6.12.3.

Metrics

CVSS 3.1
8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.45%

36.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Tgstation13Tgstation-Server>= 6.11.0, < 6.12.3

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2025-21611?
tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions regardless of their permissions. Notably, the WriteUsers right is unaffected so users may not use this bug to permanently elevate their account permissions. The fix is release in tgstation-server-v6.12.3.
How severe is CVE-2025-21611?
CVE-2025-21611 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 0.45% probability of exploitation in the next 30 days.
How do I fix CVE-2025-21611?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-21611?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST