CVE-2025-24904
Published: 13 February 2025
Summary
CVE-2025-24904 is a high-severity Injection (CWE-74) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SC-8 (Transmission Confidentiality and Integrity).
Deeper analysis
CVE-2025-24904 affects libsignal-service-rs, a Rust implementation of the libsignal-service-java library used for core communication with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, the library is vulnerable to injection of plaintext content envelopes by a server or malicious client, potentially bypassing end-to-end encryption and authentication mechanisms. This flaw is classified under CWE-74 and CWE-287, with a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N).
A malicious client with low privileges or a compromised Signal server can exploit this over the network with low complexity and no user interaction, achieving high-impact integrity violations alongside low confidentiality impact. Attackers could inject unauthorized plaintext envelopes into communications, undermining the protocol's security guarantees by evading encryption and authentication checks.
The vulnerability is fixed in commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, which adds a `was_encrypted` field to the `Metadata` struct; this change breaks the API but is described as easily resolvable. No known workarounds exist, per the GitHub security advisory (GHSA-hrrc-wpfw-5hj2).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3985
Vulnerability details
libsignal-service-rs is a Rust version of the libsignal-service-java library which implements the core functionality to communicate with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, plaintext content envelopes could be injected by a server or a malicious client, and may have been…
more
able to bypass the end-to-end encryption and authentication. The vulnerability is fixed per 82d70f6720e762898f34ae76b0894b0297d9b2f8. The `Metadata` struct contains an additional `was_encrypted` field, which breaks the API, but should be easily resolvable. No known workarounds are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability allows server or malicious client to inject plaintext envelopes bypassing E2EE/authentication, directly facilitating traffic injection in MITM position (T1557) and manipulation of transmitted data (T1565.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of incoming content envelopes to reject unauthorized plaintext injections, directly addressing CWE-74 and preventing bypass of encryption checks.
Protects the authenticity of communications sessions with Signal servers, mitigating CWE-287 improper authentication by malicious clients or servers injecting fake envelopes.
Requires cryptographic mechanisms to ensure confidentiality and integrity of transmissions, countering plaintext envelope injections that bypass end-to-end protections.