PT-2025-7046 · Unknown · Libsignal-Service-Rs

Valldrac

Published

2025-02-13

Updated

2025-02-17

CVE-2025-24904

CVSS v3.1

8.5

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Name of the Vulnerable Software and Affected Versions: libsignal-service-rs versions prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8

Description: The libsignal-service-rs library, a Rust version of libsignal-service-java, had a vulnerability that allowed a server or malicious client to inject plaintext content envelopes. This could have potentially bypassed end-to-end encryption and authentication. The Metadata struct contains an additional was encrypted field, which breaks the API but should be easily resolvable.

Recommendations: For versions prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, update to a version that includes the fix according to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable Metadata struct until the update is applied.

Exploit

Fix

Improper Authentication

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-74

Related Identifiers

CVE-2025-24904

GHSA-HRRC-WPFW-5HJ2

Affected Products

Libsignal-Service-Rs

PT-2025-7046 · Unknown · Libsignal-Service-Rs

CVE-2025-24904

Weakness Enumeration

Related Identifiers

Affected Products

References · 11