CVE-2025-24900

Summary

CVE-2025-24900 is a vulnerability affecting the Concorde (Nexkey) fork of the federated microblogging platform Misskey. Due to the lack of Cross-Site Request Forgery (CSRF) countermeasures and improper cookie settings for MediaProxy authentication, an attacker can bypass Concorde's MediaProxy authentication in versions prior to 12.25Q1.1. This vulnerability also affects the job queue management page (bull-board) authentication in versions prior to 12.24Q2.3. As a result, an attacker may gain unauthorized access with significant impacts on availability and integrity. While the affected versions are no longer supported, the Concorde maintainers recommend updating to version 12.25Q1.1, which contains a patch. No effective workaround is available other than updating.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.