CVE-2025-24903 HIGH

CVE-2025-24903: libsignal-service-rs Doesn't Check Origin of Sync Messages

Vendor Whisperfish
Product libsignal-service-rs
Weakness CWE-345
Published February 13, 2025
Last update February 13, 2025

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

What the vulnerability does

01Description

libsignal-service-rs is a Rust version of the libsignal-service-java library which implements the core functionality to communicate with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, any contact may forge a sync message, impersonating another device of the local user. The origin of sync messages is not checked. Patched libsignal-service can be found after commit 82d70f6720e762898f34ae76b0894b0297d9b2f8. The `Metadata` struct contains an additional `was_encrypted` field, which breaks the API, but should be easily resolvable. No known workarounds are available.

Key dates

02Disclosure timeline

February 13, 2025 CVE published
February 13, 2025 Record updated

Related vulnerabilities

04Related CVE