CVE-2025-66803 — MEDIUM (4.8)

Q: How severe is CVE-2025-66803?

CVE-2025-66803 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-66803?

Check the references section above for vendor advisories and patch information. Affected products include: Hotwired Turbo.

Vulnerability Description

Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers.

CVSS Score

4.8

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Hotwired	Turbo	< 8.0.21

Related Weaknesses (CWE)

CWE-362

References

https://github.com/hotwired/turbo/pull/1399ExploitIssue TrackingPatch
https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvpVendor Advisory
https://turbo.hotwired.dev/handbook/framesProduct

FAQ

What is CVE-2025-66803?

CVE-2025-66803 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploit...

How severe is CVE-2025-66803?

CVE-2025-66803 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-66803?

Check the references section above for vendor advisories and patch information. Affected products include: Hotwired Turbo.