CVE-2025-27794 – Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite

https://notcve.org/view.php?id=CVE-2025-27794

12 Mar 2025 — Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10 when an attacker-controlled authoritative subdomain under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows session token replacement for applications hosted on sibling subdomains (e.g., `community.host.com`) if session tokens aren't rotated post-authentication. Key Constraints are that the attacker must control any subdomain under the pare... • https://github.com/flarum/framework/commit/a05aaea3ee1e0a8b870935183193cd6052f1d402 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •