Cyber Resilience

CVE-2025-24904

High

Published: 13 February 2025

Published
13 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
EPSS Score 0.0002 5.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24904 is a high-severity Injection (CWE-74) vulnerability. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2025-24904 affects libsignal-service-rs, a Rust implementation of the libsignal-service-java library used for core communication with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, the library is vulnerable to injection of plaintext content envelopes by a server or malicious client, potentially bypassing end-to-end encryption and authentication mechanisms. This flaw is classified under CWE-74 and CWE-287, with a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N).

A malicious client with low privileges or a compromised Signal server can exploit this over the network with low complexity and no user interaction, achieving high-impact integrity violations alongside low confidentiality impact. Attackers could inject unauthorized plaintext envelopes into communications, undermining the protocol's security guarantees by evading encryption and authentication checks.

The vulnerability is fixed in commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, which adds a `was_encrypted` field to the `Metadata` struct; this change breaks the API but is described as easily resolvable. No known workarounds exist, per the GitHub security advisory (GHSA-hrrc-wpfw-5hj2).

EU & UK References

Vulnerability details

libsignal-service-rs is a Rust version of the libsignal-service-java library which implements the core functionality to communicate with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, plaintext content envelopes could be injected by a server or a malicious client, and may have been…

more

able to bypass the end-to-end encryption and authentication. The vulnerability is fixed per 82d70f6720e762898f34ae76b0894b0297d9b2f8. The `Metadata` struct contains an additional `was_encrypted` field, which breaks the API, but should be easily resolvable. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Vulnerability allows server or malicious client to inject plaintext envelopes bypassing E2EE/authentication, directly facilitating traffic injection in MITM position (T1557) and manipulation of transmitted data (T1565.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-49831Shared CWE-287
CVE-2025-21450Shared CWE-287
CVE-2026-30836Shared CWE-287
CVE-2025-71279Shared CWE-287
CVE-2026-25520Shared CWE-74
CVE-2026-2469Shared CWE-74
CVE-2026-2991Shared CWE-287
CVE-2026-21891Shared CWE-287
CVE-2025-64428Shared CWE-74
CVE-2026-7876Shared CWE-287

Affected Assets

Rust
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of incoming content envelopes to reject unauthorized plaintext injections, directly addressing CWE-74 and preventing bypass of encryption checks.

prevent

Protects the authenticity of communications sessions with Signal servers, mitigating CWE-287 improper authentication by malicious clients or servers injecting fake envelopes.

prevent

Requires cryptographic mechanisms to ensure confidentiality and integrity of transmissions, countering plaintext envelope injections that bypass end-to-end protections.

References