Quiet uses insecure, inconsistent verification on local backend token

8.5 / 10

HIGH

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N

Description

Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for token verification. This allowed for a potential timing attack where an attacker would try different token values and observe tiny differences in the response time (wrong characters fail faster) to guess the whole token one character at a time. This is fixed in version 6.0.1.

Basic Information

ID CVE-2025-53940

Source GitHub_M

Published Jul 24, 2025 at 22:23

Modified Jul 25, 2025 at 13:30

Affected Product

Vendor TryQuiet

Product quiet

Version < 6.0.1

Affected Versions TryQuiet quiet < 6.0.1

CWE Classification

CWE-208

References

{
    "lastseen": "",
    "description": "Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for token verification. This allowed for a potential timing attack where an attacker would try different token values and observe tiny differences in the response time (wrong characters fail faster) to guess the whole token one character at a time. This is fixed in version 6.0.1.",
    "published": "2025-07-24T22:23:58.389Z",
    "modified": "2025-07-25T13:30:36.230Z",
    "type": "cve",
    "title": "Quiet uses insecure, inconsistent verification on local backend token",
    "source": "GitHub_M",
    "references": "https://github.com/TryQuiet/quiet/security/advisories/GHSA-gpw8-w78h-xj67\nhttps://github.com/TryQuiet/quiet/issues/2820#issue-3021080269\nhttps://github.com/TryQuiet/quiet/pull/2928",
    "id": "CVE-2025-53940",
    "bulletinFamily": "",
    "cwe": [
        "CWE-208"
    ],
    "cvelist": null,
    "sourceData": "TryQuiet quiet < 6.0.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.5,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "quiet",
    "version": "< 6.0.1",
    "vendor": "TryQuiet",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Quiet uses insecure, inconsistent verification on local backend token_CVE-2025-53940