CVE-2025-49846
BaseFortify
Publication date: 2025-07-03
Last updated on: 2025-07-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-117 | The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file. |
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Wire iOS versions 3.111.1 to before 3.124.1 caused messages visible in the viewport to be logged in clear text to the iOS system logs. This happened because the app called the iOS function canOpenUrl() with an invalid URL object, which caused iOS to log the URL contents to system logs, an undocumented behavior. These system logs could be accessed only if someone had physical access to an unlocked device. Wire's own application-managed logs were not affected. The issue was fixed in version 3.124.1 by improving URL detection and handling to prevent this accidental logging. [2, 3]
How can this vulnerability impact me? :
The vulnerability impacts confidentiality by potentially exposing message contents in clear text within iOS system logs. If an attacker gains physical access to an unlocked device, they could read sensitive message data from these logs. There is no impact on integrity or availability. The risk is limited to local access with high privileges required. The only workaround before the fix is to reset the iOS device to clear the logs. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests by logging message contents in clear text to the iOS system logs when the Wire iOS app calls canOpenUrl() with an invalid URL object. Detection requires physical access to an unlocked iOS device to inspect the system logs for such leaked message contents. Since the logs are iOS system logs, you can check them using the macOS Console app connected to the device or via the command line using 'log show' commands. For example, you can run 'log show --predicate "process == 'wire-ios'" --info --last 1d' on a connected Mac to view recent Wire iOS logs. However, the vulnerability is not detectable via network monitoring as it involves local system logs only. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update the Wire iOS application to version 3.124.1 or later, which contains the security fix preventing message contents from being logged in clear text. If updating is not immediately possible, reset the affected iOS device to clear the offending system logs, as Wire cannot modify iOS system logs directly. Additionally, ensure physical access to unlocked devices is restricted to prevent unauthorized log access. [1, 2]