CVE-2025-59841
BaseFortify
Publication date: 2025-09-25
Last updated on: 2025-10-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flagforge | flagforge | From 2.2 (inc) to 2.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
| CWE-384 | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Flag Forge versions 2.2.0 to before 2.3.1 involves improper session invalidation. After a user logs out, their session is not properly terminated, allowing them to still access protected endpoints like /api/profile. Additionally, CSRF tokens remain valid after logout, which can enable unauthorized actions.
How can this vulnerability impact me? :
This vulnerability can allow attackers or unauthorized users to continue accessing sensitive user data and perform actions on behalf of users even after they have logged out. This can lead to data breaches, unauthorized changes, and compromise of user accounts.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Flag Forge web application to version 2.3.1 or later, where the session invalidation issue has been patched. Until the upgrade, restrict access to the application and monitor for unauthorized access after logout.