CVE-2025-27794

Name of the Vulnerable Software and Affected Versions: Flarum versions prior to 1.8.10

Description: A session hijacking issue exists when an attacker-controlled authoritative subdomain under a parent domain sets cookies scoped to the parent domain. This allows session token replacement for applications hosted on sibling subdomains if session tokens aren't rotated post-authentication. Key constraints include the attacker controlling any subdomain under the parent domain and the parent domain not being on the Public Suffix List. The issue can theoretically be reproduced using browser dev tools but is not exploitable due to browser security measures.

Recommendations: For versions prior to 1.8.10, update to version 1.8.10 to resolve the issue. As a temporary workaround, consider implementing session token rotation after authentication to minimize the risk of exploitation. Additionally, restrict cookies to explicit subdomains and consider adding the parent domain to the Public Suffix List to prevent such attacks.