CVE-2025-24904
📋 TL;DR
CVE-2025-24904 is a vulnerability in libsignal-service-rs that allows servers or malicious clients to inject plaintext content envelopes, potentially bypassing end-to-end encryption and authentication. This affects applications using vulnerable versions of the libsignal-service-rs library to communicate with Signal servers. The vulnerability could compromise the confidentiality and integrity of supposedly encrypted communications.
💻 Affected Systems
- libsignal-service-rs
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could intercept and read supposedly encrypted messages, inject malicious content, or impersonate legitimate users in Signal-based communication systems.
Likely Case
Malicious servers or compromised clients could bypass encryption protections to read or manipulate message content in applications using this library.
If Mitigated
With proper patching, the encryption and authentication mechanisms function as intended, preventing unauthorized access to message content.
🎯 Exploit Status
Exploitation requires either server access or ability to act as a malicious client. The vulnerability involves injection of plaintext envelopes that bypass encryption checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 82d70f6720e762898f34ae76b0894b0297d9b2f8
Vendor Advisory: https://github.com/whisperfish/libsignal-service-rs/security/advisories/GHSA-hrrc-wpfw-5hj2
Restart Required: No
Instructions:
1. Update libsignal-service-rs to include commit 82d70f6720e762898f34ae76b0894b0297d9b2f8
2. Update your Cargo.toml to reference the patched version
3. Rebuild your application with the updated dependency
4. Note: The fix adds a 'was_encrypted' field to the Metadata struct, which may require code updates due to API changes.
🔧 Temporary Workarounds
No known workarounds
allThe advisory states no known workarounds are available. Patching is the only mitigation.
🧯 If You Can't Patch
- Isolate affected systems from untrusted networks
- Monitor for unusual traffic patterns or unexpected plaintext in encrypted channels
🔍 How to Verify
Check if Vulnerable:
Check if your libsignal-service-rs dependency version includes commit 82d70f6720e762898f34ae76b0894b0297d9b2f8. If not, you are vulnerable.Check Version:
cargo tree | grep libsignal-service-rsVerify Fix Applied:
Verify that your application uses libsignal-service-rs with commit 82d70f6720e762898f34ae76b0894b0297d9b2f8 or later, and that the Metadata struct includes the 'was_encrypted' field.📡 Detection & Monitoring
Log Indicators:
- Unexpected plaintext content in supposedly encrypted channels
- Authentication failures or bypasses in Signal protocol communications
Network Indicators:
- Unencrypted or improperly encrypted traffic to/from Signal servers
- Injection of plaintext envelopes in encrypted streams
SIEM Query:
Search for: 'libsignal-service-rs' AND ('plaintext injection' OR 'encryption bypass' OR 'CVE-2025-24904')