CVE-2025-27794

CVE-2025-27794 is a medium-severity security vulnerability in flarum/core (composer), affecting versions < 1.8.10. It is fixed in 1.8.10.

Summary

Summary

A session hijacking vulnerability exists when an attacker-controlled authoritative subdomain under a parent domain (e.g., subdomain.host.com) sets cookies scoped to the parent domain (.host.com). This allows session token replacement for applications hosted on sibling subdomains (e.g., community.host.com) if session tokens aren't rotated post-authentication.

Key Constraints:

  • Attacker must control any subdomain under the parent domain (e.g., evil.host.com or x.y.host.com).
  • Parent domain must not be on the Public Suffix List.

Due to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to be exploitable as described.

Proof of Concept (Deno)

Deno.serve({
    port: 8000, // default
    hostname: 'localhost',
    onListen: (o) => console.log(`Server started at http://${o.hostname}:${o.port}`, o),
  },
  async (req) => (console.log(req), new Response(
    `You've been served! You came from ${req.headers.get('referer')}`,
    {
      //status: 302, // would redirect user to page they came from
      status: 200,
      headers: {
        'set-cookie': 'session_cookie=mytoken; Domain=.deno.dev; Secure; HttpOnly',
        'location': req.headers.get('referer')
      }
    }
  ))
);

Attack Flow

  1. Attacker Setup: Hosts server at evil.host.com.
  2. Harvest Session Token: Attacker visits community.host.com to get a session token for himself to replace the victim's token with his own.
  3. Victim Interaction: User clicks link to https://evil.host.com.
  4. Cookie Override: Server sets cookie with Domain=.host.com and the harvested token from step 2.
  5. Session Hijacking: Victim's future requests to community.host.com use attacker's token.

Why Reverse DNS Subdomains Fail

Browsers block cookie setting for parent domains unless:

  1. Authoritative Subdomain: Server must belong to a direct child domain (e.g., a.host.com, not x.y.host.com).
  2. Public Suffix Exclusion: If host.com is on the Public Suffix List (e.g., like github.io), browsers block cross-subdomain cookies.

Example:

  • 123.cust.dynamic.host.com → Cannot set Domain=.host.com.
  • evil.host.com → Can set Domain=.host.com (if not on PSL).

Browser Security Behavior

1. Cookie Domain Validation

Per RFC 6265 §5.3:

Cookies can only be set for domains the server is authoritative for.

2. Public Suffix List (PSL)

Domains like host.com on the PSL trigger browser protections:

Subdomains of PSL-listed domains cannot set cookies for parent domains.

Verification:

Impact

  • Account Takeover: Attacker gains authenticated session access.
  • Data Exposure: Email, private messages, and other personal data exposed.
  • Exploitable Only If:
    • Parent domain is not PSL-listed.
    • Attacker controls direct child subdomain (e.g., evil.host.com).

Remediation

  1. Session Token Rotation:
    // After authentication:
    invalidateOldSession();
    const newToken = generateToken();
    
  2. Cookie Scoping (already in place):
    // Restrict cookies to explicit subdomain:
    "Set-Cookie": "session=token; Domain=community.host.com; Secure; HttpOnly; SameSite=Lax";
    
  3. Public Suffix Registration:
    Add host.com to the Public Suffix List via PSL Submission.

Revised Vulnerability Criteria

Prerequisites:

  • Attacker controls authoritative subdomain (e.g., evil.host.com).
  • Parent domain (host.com) is not PSL-listed.
  • Session tokens persist post-authentication.

References

Impact

CVE-2025-27794 has a CVSS score of 6.8 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.8.10); upgrading removes the vulnerable code path.

Affected versions

flarum/core (< 1.8.10) flarum/framework (< 1.8.10)

Security releases

flarum/core → 1.8.10 (composer) flarum/framework → 1.8.10 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

flarum/core to 1.8.10 or later; flarum/framework to 1.8.10 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-27794? CVE-2025-27794 is a medium-severity security vulnerability in flarum/core (composer), affecting versions < 1.8.10. It is fixed in 1.8.10.
  2. How severe is CVE-2025-27794? CVE-2025-27794 has a CVSS score of 6.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by CVE-2025-27794?
    • flarum/core (composer) (versions < 1.8.10)
    • flarum/framework (composer) (versions < 1.8.10)
  4. Is there a fix for CVE-2025-27794? Yes. CVE-2025-27794 is fixed in 1.8.10. Upgrade to this version or later.
  5. Is CVE-2025-27794 exploitable, and should I be worried? Whether CVE-2025-27794 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-27794 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-27794?
    • Upgrade flarum/core to 1.8.10 or later
    • Upgrade flarum/framework to 1.8.10 or later

Other vulnerabilities in flarum/core

CVE-2025-27794CVE-2024-21641CVE-2023-40033CVE-2023-27577CVE-2023-22489

Stop the waste.
Protect your environment with Kodem.