CVE-2025-48061
📋 TL;DR
A session invalidation vulnerability in Wire webapp allows users who logged out to be automatically logged back in when reopening the application. This affects all Wire webapp users who don't use temporary sessions or delete personal information upon logout. The issue stems from improper session cleanup after logout.
💻 Affected Systems
- wire-webapp
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with physical access to a shared computer could gain unauthorized access to a user's Wire account and conversations after the legitimate user logged out.
Likely Case
Users on shared or public computers inadvertently leaving their sessions accessible to subsequent users, potentially exposing private conversations.
If Mitigated
No impact when using temporary sessions or deleting personal information upon logout as described in the workaround.
🎯 Exploit Status
Exploitation requires access to the same device where the user previously logged in and didn't use protective measures.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025-05-20-production.0
Vendor Advisory: https://github.com/wireapp/wire-webapp/security/advisories/GHSA-7r6m-qjwm-w44q
Restart Required: Yes
Instructions:
1. Update wire-webapp to version 2025-05-20-production.0 or later. 2. Restart the application. 3. Verify the fix by testing logout and reopening behavior.
🔧 Temporary Workarounds
Use temporary sessions
allSelect "This is a public computer" during login to create a temporary session that doesn't persist improperly.
Delete personal information upon logout
allAlways select "Delete all your personal information and conversations on this device" when logging out.
🧯 If You Can't Patch
- Enforce policy requiring users on shared devices to always use temporary sessions or delete personal information upon logout.
- Implement device session timeouts and mandatory re-authentication for sensitive operations.
🔍 How to Verify
Check if Vulnerable:
1. Log into Wire webapp on a test device. 2. Log out normally (without selecting delete option). 3. Close and reopen the application. 4. If automatically logged back in, the system is vulnerable.Check Version:
Check the application version in settings or about page, or inspect the web application source for version information.Verify Fix Applied:
Repeat the vulnerable check steps after patching. The application should not automatically log you in after logout.📡 Detection & Monitoring
Log Indicators:
- Multiple successful logins from same user/session ID in quick succession without explicit login events
- Session tokens persisting beyond logout events
Network Indicators:
- Unusual authentication patterns where sessions resume without fresh credentials
SIEM Query:
source="wire-webapp" AND (event="login" OR event="session_resume") | stats count by user, session_id, _time | where count > 1 within 5 minutes