CVE-2025-53940

Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for token verification. This allowed for a potential timing attack where an attacker would try different token values and observe tiny differences in the response time (wrong characters fail faster) to guess the whole token one character at a time. This is fixed in version 6.0.1.

CVSS

No CVSS.

References

Link	Resource
https://github.com/TryQuiet/quiet/issues/2820#issue-3021080269
https://github.com/TryQuiet/quiet/pull/2928
https://github.com/TryQuiet/quiet/security/advisories/GHSA-gpw8-w78h-xj67

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Quiet es una alternativa a las aplicaciones de chat en equipo como Slack, Discord y Element, que no requiere confiar en un servidor central ni ejecutar uno propio. En las versiones 6.1.0-alpha.4 y anteriores, la API de Quiet para la comunicación entre el backend y el frontend utilizaba una función de comparación insegura y no constante para la verificación de tokens. Esto permitía un posible ataque de sincronización: un atacante probaba diferentes valores de token y observaba pequeñas diferencias en el tiempo de respuesta (los caracteres incorrectos fallan más rápido) para adivinar el token completo, carácter por carácter. Esto se solucionó en la versión 6.0.1.

24 Jul 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-24 23:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-53940

Mitre link : CVE-2025-53940

CVE.ORG link : CVE-2025-53940

JSON object : View

Products Affected

No product.

CWE

CWE-208

Observable Timing Discrepancy

{"id": "CVE-2025-53940", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-24T23:15:26.620", "references": [{"url": "https://github.com/TryQuiet/quiet/issues/2820#issue-3021080269", "source": "security-advisories@github.com"}, {"url": "https://github.com/TryQuiet/quiet/pull/2928", "source": "security-advisories@github.com"}, {"url": "https://github.com/TryQuiet/quiet/security/advisories/GHSA-gpw8-w78h-xj67", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-208"}]}], "descriptions": [{"lang": "en", "value": "Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for token verification. This allowed for a potential timing attack where an attacker would try different token values and observe tiny differences in the response time (wrong characters fail faster) to guess the whole token one character at a time. This is fixed in version 6.0.1."}, {"lang": "es", "value": "Quiet es una alternativa a las aplicaciones de chat en equipo como Slack, Discord y Element, que no requiere confiar en un servidor central ni ejecutar uno propio. En las versiones 6.1.0-alpha.4 y anteriores, la API de Quiet para la comunicaci\u00f3n entre el backend y el frontend utilizaba una funci\u00f3n de comparaci\u00f3n insegura y no constante para la verificaci\u00f3n de tokens. Esto permit\u00eda un posible ataque de sincronizaci\u00f3n: un atacante probaba diferentes valores de token y observaba peque\u00f1as diferencias en el tiempo de respuesta (los caracteres incorrectos fallan m\u00e1s r\u00e1pido) para adivinar el token completo, car\u00e1cter por car\u00e1cter. Esto se solucion\u00f3 en la versi\u00f3n 6.0.1."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "security-advisories@github.com"}