CVE-2025-59841
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-25

Last updated on: 2025-10-08

Assigner: GitHub, Inc.

Description
Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/profile, even after logging out. CSRF tokens are also still valid post-logout, which can allow unauthorized actions. This issue has been patched in version 2.3.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-25
Last Modified
2025-10-08
Generated
2026-06-16
AI Q&A
2025-09-25
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59841
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flagforge flagforge From 2.2 (inc) to 2.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Flag Forge versions 2.2.0 to before 2.3.1 involves improper session invalidation. After a user logs out, their session is not properly terminated, allowing them to still access protected endpoints like /api/profile. Additionally, CSRF tokens remain valid after logout, which can enable unauthorized actions.

Impact Analysis

This vulnerability can allow attackers or unauthorized users to continue accessing sensitive user data and perform actions on behalf of users even after they have logged out. This can lead to data breaches, unauthorized changes, and compromise of user accounts.

Mitigation Strategies

Upgrade the Flag Forge web application to version 2.3.1 or later, where the session invalidation issue has been patched. Until the upgrade, restrict access to the application and monitor for unauthorized access after logout.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59841. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart