CVE-2025-24903
Published: 13 February 2025
Summary
CVE-2025-24903 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Impersonation (T1684.001); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-24903 by requiring timely patching of the vulnerable libsignal-service-rs library to the version after commit 82d70f6720e762898f34ae76b0894b0297d9b2f8.
Implements cryptographic mechanisms to provide authentication and integrity protection for sync messages, preventing forgery by verifying their origin from legitimate user devices.
Enforces software and information integrity checks, such as digital signatures, to verify sync messages and detect forgeries impersonating local user devices.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows an attacker to forge sync messages impersonating a linked device of the victim, directly enabling device/account impersonation without requiring valid credentials or MitM positioning.
NVD Description
libsignal-service-rs is a Rust version of the libsignal-service-java library which implements the core functionality to communicate with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, any contact may forge a sync message, impersonating another device of the local user. The origin of…
more
sync messages is not checked. Patched libsignal-service can be found after commit 82d70f6720e762898f34ae76b0894b0297d9b2f8. The `Metadata` struct contains an additional `was_encrypted` field, which breaks the API, but should be easily resolvable. No known workarounds are available.
Deeper analysisAI
CVE-2025-24903 is an insufficient verification of data authenticity vulnerability (CWE-345) affecting libsignal-service-rs, a Rust implementation of the libsignal-service-java library used for core communication with Signal servers. In versions prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, the library fails to check the origin of sync messages, allowing any contact to forge a sync message that impersonates another device belonging to the local user.
An attacker with low privileges, such as a contact of the victim, can exploit this over the network with low complexity and no user interaction required. Successful exploitation enables the forging of sync messages, resulting in high integrity impact (I:H) by impersonating linked devices, partial confidentiality loss (C:L), and scope change to untrusted components, as reflected in the CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N).
The vulnerability is patched in libsignal-service-rs after commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, which adds proper origin verification; the patch introduces a new `was_encrypted` field to the `Metadata` struct, breaking API compatibility but noted as easily resolvable. No known workarounds exist, and security practitioners should update to the patched version, referencing the GitHub commit and advisory for details.
Details
- CWE(s)