CVE-2025-53940
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N
Summary
Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for token verification. This allowed for a potential timing attack where an attacker would try different token values and observe tiny differences in the response time (wrong characters fail faster) to guess the whole token one character at a time. This is fixed in version 6.0.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| TryQuiet | quiet | < 6.0.1 | affected |
Weaknesses
- CWE-208: CWE-208: Observable Timing Discrepancy
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/TryQuiet/quiet/security/advisories/GHSA-gpw8-w78h-xj67
- https://github.com/TryQuiet/quiet/issues/2820#issue-3021080269
- https://github.com/TryQuiet/quiet/pull/2928
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.