Strix
26.1K

CVE-2025-24973

CRITICALCVSS 9.3/10EPSS 0.18%

Last modified

CVE-2025-24973 is a critical-severity vulnerability rated 9.3/10 on the CVSS scale. Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the logout process, authentication credentials remain in cookies even after a user has explicitly logged out, which may allow an attacker to steal authentication tokens. EPSS estimates a 0.18% chance of exploitation in the next 30 days.

Description

Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the logout process, authentication credentials remain in cookies even after a user has explicitly logged out, which may allow an attacker to steal authentication tokens. This could have devastating consequences if a user with admin privileges is (or was) using a shared device. Users who have logged in on a shared device should go to Settings > Security and regenerate their login tokens. Version 12.25Q1.1 fixes the issue. As a workaround, clear cookies and site data in the browser after logging out.

Metrics

CVSS 3.1
9.3/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Probability
0.18%

7.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

References

Timeline

Published
Last Modified
Status
Deferred

Frequently Asked Questions

What is CVE-2025-24973?
Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the logout process, authentication credentials remain in cookies even after a user has explicitly logged out, which may allow an attacker to steal authentication tokens. This could have devastating consequences if a user with admin privileges is (or was) using a shared device. Users who have logged in on a shared device should go to Settings > Security and regenerate their login tokens. Version 12.25Q1.1 fixes the issue. As a workaround, clear cookies and site data in the browser after logging out.
How severe is CVE-2025-24973?
CVE-2025-24973 has a CVSS score of 9.3/10 (CRITICAL severity). The EPSS model estimates a 0.18% probability of exploitation in the next 30 days.
How do I fix CVE-2025-24973?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-24973?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST