CVE-2025-59841 is a critical session fixation vulnerability affecting the FlagForgeCTF platform, specifically versions from 2.2.0 up to but not including 2.3.1. FlagForge is a web-based Capture The Flag (CTF) platform used for cybersecurity competitions and training. The vulnerability arises due to improper session invalidation upon user logout. When a user logs out, the session tokens and CSRF tokens remain valid, allowing an attacker to continue accessing protected endpoints such as /api/profile without re-authentication. This means that an attacker who can fixate or hijack a session token before logout can maintain unauthorized access to the victim's account even after the victim has logged out. The vulnerability is classified under CWE-384 (Session Fixation) and CWE-613 (Insufficient Session Expiration). The CVSS v3.1 base score is 9.8, indicating a critical severity with network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. The flaw allows attackers to perform unauthorized actions by leveraging still-valid CSRF tokens post-logout, potentially leading to account takeover, data leakage, or manipulation of user data. The issue has been addressed in FlagForge version 2.3.1, which properly invalidates sessions and CSRF tokens upon logout, mitigating the risk of session fixation and unauthorized access.

For European organizations using FlagForgeCTF for cybersecurity training, competitions, or internal security exercises, this vulnerability poses a significant risk. Attackers could exploit the session fixation flaw to gain persistent unauthorized access to user accounts, potentially exposing sensitive training data, user profiles, or competition flags. This could undermine the integrity of training exercises and lead to leakage of confidential information. Additionally, unauthorized actions performed via valid CSRF tokens could disrupt platform operations or manipulate results, affecting organizational security posture and trust in the platform. Given the critical CVSS score and the nature of the vulnerability, exploitation could result in full compromise of user accounts without requiring user interaction or elevated privileges. This is especially impactful for organizations relying on FlagForgeCTF for realistic security training scenarios, as it could allow adversaries to bypass intended access controls and persist within the platform environment.

European organizations should immediately upgrade FlagForgeCTF installations to version 2.3.1 or later, where the session invalidation and CSRF token handling issues have been fixed. Until the upgrade is applied, organizations should consider implementing additional compensating controls such as enforcing short session timeouts, monitoring for anomalous session activity, and restricting access to the FlagForge platform via network segmentation or VPNs to limit exposure. Administrators should also audit logs for suspicious access patterns indicative of session fixation or unauthorized use post-logout. It is recommended to educate users about the importance of closing browser sessions and not sharing session tokens. Additionally, organizations could deploy Web Application Firewalls (WAFs) with custom rules to detect and block suspicious session reuse or CSRF token abuse. Finally, regular vulnerability scanning and penetration testing should be conducted to verify that the patch has been correctly applied and that no residual session management issues remain.