CVE-2025-24903
📋 TL;DR
This vulnerability in libsignal-service-rs allows any contact to forge sync messages and impersonate another device of the local user. It affects applications using vulnerable versions of this Rust library for Signal server communication. The issue stems from missing origin verification for sync messages.
💻 Affected Systems
- libsignal-service-rs
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could fully impersonate a user's other devices, potentially accessing private conversations, sending messages as the user, or manipulating account settings.
Likely Case
Attackers in a user's contact list could send forged sync messages to impersonate other devices, potentially leading to message interception or account manipulation.
If Mitigated
With proper patching, the vulnerability is eliminated through origin verification of sync messages.
🎯 Exploit Status
Exploitation requires being in the target's contact list. The attacker needs to understand the Signal protocol and be able to craft malicious sync messages.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 82d70f6720e762898f34ae76b0894b0297d9b2f8 or later
Vendor Advisory: https://github.com/whisperfish/libsignal-service-rs/security/advisories/GHSA-r58q-66g9-h6g8
Restart Required: No
Instructions:
1. Update libsignal-service-rs to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8 or later. 2. Note that the Metadata struct now includes a 'was_encrypted' field which may require API adjustments. 3. Rebuild and redeploy applications using the library.
🔧 Temporary Workarounds
No workarounds available
allThe advisory states no known workarounds exist for this vulnerability.
🧯 If You Can't Patch
- Limit contact list to trusted individuals only
- Monitor for unusual sync activity or device impersonation attempts
🔍 How to Verify
Check if Vulnerable:
Check if your libsignal-service-rs version is prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8Check Version:
git log --oneline -1Verify Fix Applied:
Verify that the Metadata struct in your codebase includes the 'was_encrypted' field and that you're using commit 82d70f6720e762898f34ae76b0894b0297d9b2f8 or later📡 Detection & Monitoring
Log Indicators:
- Unexpected sync messages from contacts
- Multiple device registrations from same user
- Sync messages with mismatched origin information
Network Indicators:
- Unusual sync message patterns
- Sync messages from unexpected sources
SIEM Query:
Signal sync messages where source != expected_device_id OR sync_count > threshold