Quiet uses insecure, inconsistent verification on local backend token

July 24, 2025 invoker category_cve

CVE Details

Basic Information

Title Quiet uses insecure, inconsistent verification on local backend token
Type cve
Published 2025-07-24T22:23:58.389Z
Modified 2025-07-24T22:23:58.389Z

Product Information

Vendor TryQuiet
Product quiet
Version < 6.0.1

CVSS Information

Base Score 8.5 (HIGH)
Attack Vector CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N

Affected Products

  • TryQuiet quiet < 6.0.1

Additional Information

CWE List CWE-208
Source GitHub_M

Description

Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one’s own. In versions 6.1.0-alpha.4 and below, Quiet’s API for backend/frontend communication was using an insecure, not constant-time comparison function for token verification. This allowed for a potential timing attack where an attacker would try different token values and observe tiny differences in the response time (wrong characters fail faster) to guess the whole token one character at a time. This is fixed in version 6.0.1.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.