CVE-2025-24903

Name of the Vulnerable Software and Affected Versions: libsignal-service-rs versions prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8

Description: The issue allows any contact to forge a sync message, impersonating another device of the local user, because the origin of sync messages is not checked. The Metadata struct contains an additional was encrypted field, which breaks the API, but should be easily resolvable. No known workarounds are available.

Recommendations: For versions prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, update to a version after commit 82d70f6720e762898f34ae76b0894b0297d9b2f8 to resolve the issue. As a temporary workaround, consider implementing additional validation for the origin of sync messages until a patched version is available. Restrict access to sensitive functionality that relies on the Metadata struct until the API compatibility issue is resolved.