What is the severity of CVE-2025-24904?

CVE-2025-24904 has been classified as a high severity vulnerability due to the potential for plaintext content envelope injection.

How do I fix CVE-2025-24904?

To fix CVE-2025-24904, update the libsignal-service-rs library to a version that is equal to or greater than commit 82d70f6720e762898f34ae76b0894b0297d9b2f8.

What types of systems are affected by CVE-2025-24904?

CVE-2025-24904 primarily affects systems utilizing the libsignal-service-rs library prior to the specified commit.

Is CVE-2025-24904 a remote vulnerability?

Yes, CVE-2025-24904 can be exploited remotely through server or client interactions that inject plaintext content.

What are the potential impacts of CVE-2025-24904?

The potential impacts of CVE-2025-24904 include unauthorized access to sensitive information due to the injection of plaintext content envelopes.

Vulnerability/
CVE-2025-24904

high

8.5

CWE

74 287

EPSS

0.043%

13/2/2025

CVE-2025-24904

First published: Thu Feb 13 2025(Updated: )

libsignal-service-rs is a Rust version of the libsignal-service-java library which implements the core functionality to communicate with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, plaintext content envelopes could be injected by a server or a malicious client, and may have been able to bypass the end-to-end encryption and authentication. The vulnerability is fixed per 82d70f6720e762898f34ae76b0894b0297d9b2f8. The `Metadata` struct contains an additional `was_encrypted` field, which breaks the API, but should be easily resolvable. No known workarounds are available.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
libsignal-service-rs	<82d70f6720e762898f34ae76b0894b0297d9b2f8

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-24904?
CVE-2025-24904 has been classified as a high severity vulnerability due to the potential for plaintext content envelope injection.
How do I fix CVE-2025-24904?
To fix CVE-2025-24904, update the libsignal-service-rs library to a version that is equal to or greater than commit 82d70f6720e762898f34ae76b0894b0297d9b2f8.
What types of systems are affected by CVE-2025-24904?
CVE-2025-24904 primarily affects systems utilizing the libsignal-service-rs library prior to the specified commit.
Is CVE-2025-24904 a remote vulnerability?
Yes, CVE-2025-24904 can be exploited remotely through server or client interactions that inject plaintext content.
What are the potential impacts of CVE-2025-24904?
The potential impacts of CVE-2025-24904 include unauthorized access to sensitive information due to the injection of plaintext content envelopes.

collector/nvd-api
source/NVD
agent/severity
agent/last-modified-date
agent/weakness
agent/references
agent/author
agent/first-publish-date
agent/description
agent/type
agent/event
agent/guess-ai
agent/software-canonical-lookup
agent/softwarecombine
collector/epss-latest
source/FIRST
agent/source
agent/tags
agent/epss
vendor/signal
canonical/libsignal-service-rs

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.