What is the CVSS score of CVE-2025-24896?

CVE-2025-24896 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.3%.

Which versions of Misskey are affected by CVE-2025-24896?

Organizations using version 12.109.0 and face notable risk from CVE-2025-24896 rated CVSS 8.1.. A patch is available.

How to fix or mitigate CVE-2025-24896?

Within 7 days: Identify all affected systems running version 12.109.0 and and apply vendor patches promptly. Vendor patch is available.

Misskey CVE-2025-24896

HIGH

Insufficient Session Expiration (CWE-613)

2025-02-11 security-advisories@github.com

Information Disclosure Misskey

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:26 vuln.today

Patch released

Mar 28, 2026 - 18:26 nvd

Patch available

CVE Published

Feb 11, 2025 - 16:15 nvd

HIGH 8.1

DescriptionGitHub Advisory

Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named token is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else's device, but it's possible that users who have logged out of Misskey before lending their PC to someone else could also be affected. Version 2025.2.0-alpha.0 contains a fix for this issue.

AnalysisAI

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-613. Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named token is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else's device, but it's possible that users who have logged out of Misskey before lending their PC to someone else could also be affected. Version 2025.2.0-alpha.0 contains a fix for this issue. Affected products include: Misskey. Version information: version 12.109.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-24896 vulnerability details – vuln.today

Back