CVE-2025-62797
BaseFortify
Publication date: 2025-10-29
Last updated on: 2025-10-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rathena | fluxcp | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a critical Cross-Site Request Forgery (CSRF) issue in the FluxCP-based website template used by multiple rAthena/Ragnarok servers. The problem arises because state-changing POST endpoints accept requests authorized only by the session cookie, without using per-request anti-CSRF tokens or strong Origin/Referer validation. This means an attacker can trick a logged-in user into performing sensitive actions on the website without their knowledge or consent by luring them to a malicious page.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform unauthorized actions on behalf of logged-in users without their intent. Since the affected endpoints change state and rely solely on session cookies for authorization, attackers can exploit this to manipulate user accounts, change settings, or perform other sensitive operations, potentially leading to account compromise or unauthorized changes.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the FluxCP-based website to include per-request anti-CSRF tokens or implement robust Origin/Referer validation on state-changing POST endpoints. Applying the fix from commit e3f130c will resolve the issue. Additionally, avoid allowing browser-initiated requests that rely solely on session cookies for authorization.