CVE-2025-24903

CVE-2025-24903 is an insufficient verification of data authenticity vulnerability (CWE-345) affecting libsignal-service-rs, a Rust implementation of the libsignal-service-java library used for core communication with Signal servers. In versions prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, the library fails to check the origin of sync messages, allowing any contact to forge a sync message that impersonates another device belonging to the local user.

An attacker with low privileges, such as a contact of the victim, can exploit this over the network with low complexity and no user interaction required. Successful exploitation enables the forging of sync messages, resulting in high integrity impact (I:H) by impersonating linked devices, partial confidentiality loss (C:L), and scope change to untrusted components, as reflected in the CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N).

The vulnerability is patched in libsignal-service-rs after commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, which adds proper origin verification; the patch introduces a new `was_encrypted` field to the `Metadata` struct, breaking API compatibility but noted as easily resolvable. No known workarounds exist, and security practitioners should update to the patched version, referencing the GitHub commit and advisory for details.