CVE-2025-59841
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-59841
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-59841.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-59841
- Aliases
-
- GHSA-h6pr-4cwv-6cjg
- Published
- 2025-09-25T15:15:45.438Z
- Modified
- 2025-12-02T20:15:54.958684Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- FlagForgeCTF's Improper Session Handling Allows Access After Logout
- Details
-
Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/profile, even after logging out. CSRF tokens are also still valid post-logout, which can allow unauthorized actions. This issue has been patched in version 2.3.1.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59841.json", "cwe_ids": [ "CWE-384", "CWE-613" ], "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59841.json
- https://github.com/FlagForgeCTF/flagForge/commit/304b6c82a4f76871b336404b91e5cdd8a7d7d5bd
- https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-h6pr-4cwv-6cjg
- https://nvd.nist.gov/vuln/detail/CVE-2025-59841