CVE-2025-24904
Published: 13 February 2025
Description
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-24904 affects libsignal-service-rs, a Rust implementation of the libsignal-service-java library used for core communication with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, the library is vulnerable to injection of plaintext content envelopes by a server or malicious client, potentially bypassing end-to-end encryption and authentication mechanisms. This flaw is classified under CWE-74 and CWE-287, with a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N).
A malicious client with low privileges or a compromised Signal server can exploit this over the network with low complexity and no user interaction, achieving high-impact integrity violations alongside low confidentiality impact. Attackers could inject unauthorized plaintext envelopes into communications, undermining the protocol's security guarantees by evading encryption and authentication checks.
The vulnerability is fixed in commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, which adds a `was_encrypted` field to the `Metadata` struct; this change breaks the API but is described as easily resolvable. No known workarounds exist, per the GitHub security advisory (GHSA-hrrc-wpfw-5hj2).
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability allows server or malicious client to inject plaintext envelopes bypassing E2EE/authentication, directly facilitating traffic injection in MITM position (T1557) and manipulation of transmitted data (T1565.002).