CVE-2025-24896

Name of the Vulnerable Software and Affected Versions: Misskey versions 12.109.0 through 2025.2.0-alpha.0

Description: Misskey is an open source, federated social media platform. A login token named token is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else's device, but it's possible that users who have logged out of Misskey before lending their PC to someone else could also be affected.

Recommendations: For versions 12.109.0 through 2025.2.0-alpha.0, update to version 2025.2.0-alpha.0 or later to resolve the issue. As a temporary workaround, consider clearing cookies after logging out of Misskey to minimize the risk of exploitation. Restrict access to sensitive information on shared devices to prevent potential misuse of the undeleted login token.