CVE-2025-66803

Name of the Vulnerable Software and Affected Versions Hotwired Turbo versions prior to 8.0.0

Description A race condition exists in the turbo-frame element handler. This issue can cause logout operations to fail when delayed frame responses reapply session cookies after a user has logged out. Attackers can exploit this by introducing selective network delays or by leveraging naturally occurring race conditions on shared computers. This allows remote attackers to restore destroyed session cookies, potentially logging a user back in after they have logged out.

Recommendations Update Hotwired Turbo to version 8.0.0 or later.