Login Sign Up

CVE-2025-66803

4.8 MEDIUM
Authentication Bypass

📋 TL;DR

A race condition in Hotwired Turbo's turbo-frame element handler allows logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays or by physically proximate attackers on shared computers. Affects applications using Hotwired Turbo for dynamic page updates.

💻 Affected Systems

Products:
  • Hotwired Turbo
Versions: All versions before 8.0.x
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using turbo-frame elements with session-dependent operations.

📦 What is this software?

Turbo by Hotwired

View all CVEs affecting Turbo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers maintain unauthorized access to user sessions after logout, potentially accessing sensitive data or performing actions as the logged-out user.

🟠

Likely Case

Session persistence after logout on shared computers or in environments with network manipulation, leading to unauthorized access.

🟢

If Mitigated

Minimal impact with proper session management controls and timely patching.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires timing manipulation and access to the user's session context.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.x and later

Vendor Advisory: https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp

Restart Required: Yes

Instructions:

1. Update Hotwired Turbo to version 8.0.x or later. 2. Restart the application server. 3. Verify the fix by testing logout functionality.

🔧 Temporary Workarounds

Disable turbo-frame for logout operations

all

Avoid using turbo-frame elements for logout actions to prevent the race condition.

Modify application code to use standard form submissions or links for logout instead of turbo-frame.

🧯 If You Can't Patch

  • Implement server-side session invalidation on logout to ensure cookies are properly cleared.
  • Use short session timeouts and enforce re-authentication for sensitive operations.

🔍 How to Verify

Check if Vulnerable:

Check the Turbo version in your package.json or Gemfile. If version is below 8.0.x and turbo-frame is used for logout, the system is vulnerable.

Check Version:

For npm: npm list @hotwired/turbo. For Ruby: bundle show turbo-rails.

Verify Fix Applied:

After updating to Turbo 8.0.x or later, test logout functionality to ensure sessions are properly terminated and cookies are not reapplied.

📡 Detection & Monitoring

Log Indicators:

  • Multiple session cookie reapplications after logout requests
  • Unusual timing delays in frame responses

Network Indicators:

  • Delayed HTTP responses to turbo-frame requests coinciding with logout operations

SIEM Query:

Search for logout events followed by session cookie resets within a short time window.

📊 Metadata

CVE ID: CVE-2025-66803
CVSS v3 Score: 4.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-362
EPSS Score: 0.04% exploit probability (11.5th percentile)
Published: January 20, 2026
Last Updated: January 30, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66803, you might also want to check these:

CVE-2025-43275 9.8

A race condition vulnerability in macOS allows malicious applications to escape their sandbox restri...

Same vulnerability type (CWE-362)
CVE-2021-32810 9.8

A race condition in crossbeam-deque Rust library versions before 0.7.4 and 0.8.0 allows tasks in wor...

Same vulnerability type (CWE-362)
CVE-2025-30444 9.8

A race condition vulnerability in macOS SMB client allows attackers to cause system termination (ker...

Same vulnerability type (CWE-362)