CVE-2025-53940
BaseFortify
Publication date: 2025-07-24
Last updated on: 2025-07-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tryquiet | quiet | 6.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Quiet versions 6.1.0-alpha.4 and below, where the API for backend/frontend communication used an insecure, non-constant-time comparison function for token verification. This flaw allows an attacker to perform a timing attack by trying different token values and measuring tiny differences in response times to guess the entire token one character at a time.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability could potentially guess authentication tokens by measuring response times, which may lead to unauthorized access or impersonation within the Quiet application, compromising the security of communications.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Quiet to version 6.0.1 or later, as this version fixes the insecure token verification function that allowed timing attacks.