CVE-2025-66803

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-66803

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66803.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-66803

Aliases

GHSA-qppm-g56g-fpvp

Published

2026-01-20T19:15:49.537Z

Modified

2026-03-13T03:41:52.505050Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers.

References

Affected packages

Git / github.com/hotwired/turbo

Affected ranges

Type

GIT

Repo

https://github.com/hotwired/turbo

Events

Introduced

Fixed

9f5b6c4b902407a1a6d2866cf6bcaa126549808e

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.0.21"
        }
    ]
}

Affected versions

8.*

8.0.13

8.0.6

v7.*

v7.0.0

v7.0.0-beta.1

v7.0.0-beta.2

v7.0.0-beta.3

v7.0.0-beta.4

v7.0.0-beta.5

v7.0.0-beta.6

v7.0.0-beta.7

v7.0.0-beta.8

v7.0.0-rc.1

v7.0.0-rc.2

v7.0.0-rc.3

v7.0.0-rc.4

v7.0.0-rc.5

v7.0.1

v7.1.0

v7.1.0-rc.1

v7.1.0-rc.2

v7.1.0-rc.3

v7.2.0

v7.2.0-beta.1

v7.2.0-beta.2

v7.2.0-rc.1

v7.2.0-rc.2

v7.2.0-rc.3

v7.2.1

v7.2.2

v7.2.3

v7.2.4

v7.2.5

v7.3.0

v8.*

v8.0.0

v8.0.0-beta.2

v8.0.0-beta.3

v8.0.0-beta.4

v8.0.0-beta1

v8.0.0-rc.1

v8.0.0-rc.2

v8.0.0-rc.3

v8.0.1

v8.0.10

v8.0.11

v8.0.13

v8.0.19

v8.0.2

v8.0.20

v8.0.3

v8.0.4

v8.0.5

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66803.json"