CVE CyberSecurity Database News

CVE-2025-21611 - tgstation-server API Authorization Bypass Explained with Code Example

Poster -

The world of open-source server management tools often faces unexpected bugs leading to security flaws. One recent example is CVE-2025-21611, which affects *tgstation-server*, a popular management suite for BYOND game servers. In this post, we'll break down the vulnerability, demonstrate how it works, provide practical code snippets, and guide you towards fixing or mitigating the issue.

What Is the tgstation-server?

For anyone new: *tgstation-server* is designed to make hosting and administrating BYOND servers (like those running Space Station 13) easier and more robust at scale. It powers community and production game servers that rely on dependable access controls.

More details:
- tgstation-server project on GitHub

The Vulnerability in Simple Terms

CVE-2025-21611 is an authorization flaw present before version 6.12.3. It stems from a simple programming mistake:

- The API used to check access permissions for users used the logical OR (||) operator where it should instead have used the AND (&&) operator.

Why does this matter?

This mistake resulted in enabled users being granted access to most authorized API actions, *even if their explicit permissions did not allow it*. Notably, the critical WriteUsers right (which would let a user permanently escalate their permissions) was not affected — so the bug can't be used to keep permanent admin access.

Here’s a simplified version (not the real code, but close enough) of what happened

// Hypothetical original logic:
if(user.IsEnabled || user.HasPermission(rightNeeded))
{
    // Allow action
}

Proper (fixed) logic should be

// Correct logic:
if(user.IsEnabled && user.HasPermission(rightNeeded))
{
    // Allow action
}

Why is this a Problem?

The first snippet means: "If the user is enabled *or* has permission, let them proceed."
So, any enabled user—regardless of specific rights—can access most authorized endpoints. The check unintentionally becomes very permissive.

Exploit Scenario

Suppose there’s an API route like /api/restartserver, restricted to users with RestartServer permission.

- Before the patch, any *enabled* user (even with no special rights, just a regular player-registered account) could send an API call to this endpoint, and the server would accept it!

Pretend tokens and endpoints for illustration

curl -X POST https://yourserver/api/restartserver \
     -H "Authorization: Bearer ENABLED_BUT_UNPRIVILEGED_TOKEN"

With the bug, this action succeeds.

- After updating to tgstation-server v6.12.3, it properly fails unless your account actually has RestartServer right.

Specific actions might still require the correct explicit permission.

## How to Fix / Mitigate

Upgrade your tgstation-server to v6.12.3 or newer ASAP!

- Download from: Releases on GitHub

References

- Official GHSA Advisory: CVE-2025-21611 *(Replace XXXX with real if available)*
- Patch: tgstation-server v6.12.3 Release Notes
- Full Source Code

Conclusion

CVE-2025-21611 is an *authorization bypass* bug resulting from a simple logic mistake—using OR instead of AND in permission checks. Any enabled user could carry out most sensitive API tasks, posing a risk for server stability.

If you run a BYOND server with tgstation-server, upgrade to v6.12.3 immediately!
Keep an eye out for updates, and always review your access logic. Small code changes can make a big difference.

Timeline

Published on: 01/06/2025 16:15:31 UTC