FKIE_CVE-2025-66803

Vulnerability from fkie_nvd - Published: 2026-01-20 19:15 - Updated: 2026-01-30 20:03
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers.
References
cve@mitre.orghttps://github.com/hotwired/turbo/pull/1399Exploit, Issue Tracking, Patch
cve@mitre.orghttps://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvpVendor Advisory
cve@mitre.orghttps://turbo.hotwired.dev/handbook/framesProduct
Impacted products
Vendor Product Version
hotwired turbo *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:hotwired:turbo:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "04120F0A-E72C-42AA-A547-0812ABDFE630",
              "versionEndExcluding": "8.0.21",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers."
    },
    {
      "lang": "es",
      "value": "Una condici\u00f3n de carrera en el manejador del elemento turbo-frame en Hotwired Turbo anterior a la versi\u00f3n 8.0.x provoca que las operaciones de cierre de sesi\u00f3n fallen cuando respuestas de frame retrasadas vuelven a aplicar las cookies de sesi\u00f3n despu\u00e9s del cierre de sesi\u00f3n. Esto puede ser explotado por atacantes remotos mediante retrasos selectivos en la red (por ejemplo, retrasando solicitudes bas\u00e1ndose en la secuencia o el tiempo) o por atacantes f\u00edsicamente pr\u00f3ximos cuando la condici\u00f3n de carrera ocurre naturalmente en ordenadores compartidos."
    }
  ],
  "id": "CVE-2025-66803",
  "lastModified": "2026-01-30T20:03:34.880",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 2.5,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-20T19:15:49.537",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/hotwired/turbo/pull/1399"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://turbo.hotwired.dev/handbook/frames"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-362"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.