CVE-2025-66803

{"id": "CVE-2025-66803", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-66803", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-21T15:24:49.715163Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.2}]}, "affected": [{"source": "cve@mitre.org", "affectedData": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}]}], "published": "2026-01-20T19:15:49.537", "references": [{"url": "https://github.com/hotwired/turbo/pull/1399", "tags": ["Exploit", "Issue Tracking", "Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://turbo.hotwired.dev/handbook/frames", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers."}, {"lang": "es", "value": "Una condici\u00f3n de carrera en el manejador del elemento turbo-frame en Hotwired Turbo anterior a la versi\u00f3n 8.0.x provoca que las operaciones de cierre de sesi\u00f3n fallen cuando respuestas de frame retrasadas vuelven a aplicar las cookies de sesi\u00f3n despu\u00e9s del cierre de sesi\u00f3n. Esto puede ser explotado por atacantes remotos mediante retrasos selectivos en la red (por ejemplo, retrasando solicitudes bas\u00e1ndose en la secuencia o el tiempo) o por atacantes f\u00edsicamente pr\u00f3ximos cuando la condici\u00f3n de carrera ocurre naturalmente en ordenadores compartidos."}], "lastModified": "2026-06-17T09:57:15.273", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hotwired:turbo:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "04120F0A-E72C-42AA-A547-0812ABDFE630", "versionEndExcluding": "8.0.21"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}