Primary

Context

Misskey Login Token Cookie Persistence Vulnerability in Bull Dashboard

Vulnerability

Patched

A vulnerability exists in Misskey versions 12.109.0 prior to 2025.2.0-alpha.0, where a login token named 'token' is stored in a cookie for authentication in Bull Dashboard. This token is not deleted upon logout, potentially exposing users to risks, especially those who have logged into Misskey on public or shared devices. Even users who logged out before lending their PC could be affected.

Impact

This vulnerability could lead to unauthorized access to a user's Misskey account by allowing someone else to use the valid login token stored in the cookie.

Remediation

Users can update to Misskey version 2025.2.0-alpha.0 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

5.0

exploitability

7.2

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

5.0

exploitability

7.2

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Misskey Login Token Cookie Persistence Vulnerability in Bull Dashboard

Vulnerability

Impact

Remediation

Affected Products

Misskey

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating