CVE-2025-66803

LOW SEVERITY

CVSS Score & Metrics

Base Score

4.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N                                    

Vulnerability Description

Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers.

Vulnerability Details

Published Date

January 20, 2026

Last Modified

January 26, 2026

CWE ID

CWE-362

Source

GitHub

Vendor

npm

Product

@hotwired/turbo

External References

https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp
https://github.com/hotwired/turbo/pull/1399
https://github.com/hotwired/turbo/commit/899df356e9f4b3303cca217cd14b3f846edda10d
https://github.com/hotwired/turbo/releases/tag/v8.0.21
https://nvd.nist.gov/vuln/detail/CVE-2025-66803
https://turbo.hotwired.dev/handbook/frames
https://github.com/advisories/GHSA-qppm-g56g-fpvp

CVE-2025-66803

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment