CVE-2025-59841 is a critical security vulnerability affecting the FlagForgeCTF platform, specifically versions from 2.2.0 up to but not including 2.3.1. FlagForge is a Capture The Flag (CTF) competition platform used to host cybersecurity challenges. The vulnerability is classified under CWE-384 (Session Fixation) and CWE-613 (Insufficient Session Expiration). The core issue lies in improper session invalidation upon user logout. Authenticated users remain able to access protected endpoints such as /api/profile even after logging out, indicating that the session tokens are not properly revoked or expired. Additionally, Cross-Site Request Forgery (CSRF) tokens remain valid post-logout, which can allow attackers to perform unauthorized actions on behalf of the user if they can trick the user into submitting malicious requests. This flaw enables an attacker to hijack or maintain a session after logout, potentially leading to unauthorized access, data leakage, and manipulation of user data or platform state. The vulnerability has a CVSS v3.1 score of 9.8, reflecting its critical severity due to network exploitable vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. The issue was addressed in version 2.3.1 of FlagForge, which properly invalidates sessions and CSRF tokens upon logout, mitigating the risk of session fixation and unauthorized actions. There are no known exploits in the wild at the time of publication, but the high severity and ease of exploitation make it a significant threat to any organization using vulnerable versions of FlagForgeCTF.

For European organizations using FlagForgeCTF versions 2.2.0 to before 2.3.1, this vulnerability poses a critical risk. Since FlagForge is used to manage CTF competitions, often by educational institutions, cybersecurity training providers, and security teams, exploitation could lead to unauthorized access to sensitive user profiles, competition data, and potentially the manipulation of challenge results or participant information. The persistence of session and CSRF tokens post-logout means attackers could maintain access without re-authentication, undermining trust in the platform's security. This could result in data breaches, reputational damage, and disruption of training or competitive events. Furthermore, if the platform is integrated with other internal systems or contains sensitive user data, the impact could extend beyond the platform itself. Given the critical CVSS score and the lack of required privileges or user interaction, the threat is highly exploitable and could be leveraged by attackers remotely over the network. European organizations must consider the regulatory implications under GDPR if personal data is compromised, potentially leading to fines and legal consequences.

Organizations should immediately upgrade FlagForgeCTF to version 2.3.1 or later, where the session invalidation and CSRF token handling issues have been fixed. Until the upgrade is applied, administrators should consider implementing additional compensating controls such as enforcing strict session timeouts, monitoring for anomalous session activity, and restricting access to the FlagForge platform to trusted networks or VPNs. It is also advisable to audit existing sessions and force logout all users to invalidate any potentially compromised sessions. Implementing Web Application Firewalls (WAFs) with rules to detect and block suspicious session fixation or CSRF attack patterns can provide temporary protection. Educating users about the risks of session fixation and encouraging them to close browsers after logout can reduce exposure. Finally, organizations should review their incident response plans to detect and respond to any unauthorized access attempts related to this vulnerability.