CVE-2025-24903 Overview
CVE-2025-24903 affects libsignal-service-rs, a Rust port of the libsignal-service-java library that implements core functionality for communicating with Signal servers. The vulnerability allows any contact to forge a sync message and impersonate another device of the local user. The root cause is that the library does not verify the origin of sync messages before processing them. This flaw is categorized under [CWE-345] (Insufficient Verification of Data Authenticity). The maintainers addressed the issue in commit 82d70f6720e762898f34ae76b0894b0297d9b2f8.
Critical Impact
Any Signal contact can forge sync messages and impersonate the victim's other linked devices, undermining the trust model of cross-device synchronization.
Affected Products
- whisperfish libsignal-service-rs prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8
- Downstream Rust applications consuming libsignal-service-rs for Signal protocol communication
- Signal-compatible clients built on the whisperfish ecosystem (such as Whisperfish)
Discovery Timeline
- 2025-02-13 - CVE-2025-24903 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-24903
Vulnerability Analysis
The vulnerability resides in the message processing pipeline of libsignal-service-rs. Signal's protocol allows a user's linked devices to exchange sync messages for state synchronization, such as read receipts, sent message copies, and contact updates. These messages must originate only from devices owned by the local user.
The affected code path failed to validate that an incoming sync message actually came from a device tied to the local user's account. An attacker who is a contact of the victim can craft a message structured as a sync message and deliver it through normal Signal channels. The receiving client processes the forged sync message as if it originated from one of the user's linked devices.
This breaks the integrity guarantees of multi-device synchronization and can be leveraged to inject false state, manipulate displayed sender identities, or otherwise undermine the trust the application places in sync traffic.
Root Cause
The root cause is missing origin verification in the cipher and envelope handling logic. The decrypted envelope metadata was not consulted to confirm that the originating identity matched the local user's account before the message was dispatched as a sync message. The patch introduces a was_encrypted field on the Metadata struct and exposes envelope metadata for downstream validation.
Attack Vector
Exploitation requires the attacker to be a contact of the target and to send a crafted message over the Signal transport. No user interaction is required on the victim side beyond normal message receipt. The attack is network-based and applies to any application that links against an unpatched version of libsignal-service-rs.
let message =
crate::proto::Content::decode(plaintext.data.as_slice())?;
+ tracing::Span::current()
+ .record("envelope_metadata", plaintext.metadata.to_string());
+
// Sanity test: if the envelope was plaintext, the message should *only* be a
// decryption failure error
if was_plaintext {
// Source: https://github.com/whisperfish/libsignal-service-rs/commit/82d70f6720e762898f34ae76b0894b0297d9b2f8
The patch adds envelope metadata tracking, enabling downstream code to assert that sync messages originate from the local user's own devices.
Detection Methods for CVE-2025-24903
Indicators of Compromise
- Sync messages received from a sender whose identity does not correspond to a known linked device of the local user account.
- Unexpected state changes in client applications such as spurious read receipts, sent-message echoes, or contact updates that the user did not initiate.
- Application logs showing sync message handlers invoked for envelopes whose Metadata indicates an external sender identity.
Detection Strategies
- Inspect dependency manifests (Cargo.toml and Cargo.lock) across Rust projects to identify versions of libsignal-service-rs predating commit 82d70f6720e762898f34ae76b0894b0297d9b2f8.
- Instrument the patched envelope metadata tracing (envelope_metadata span field) to record sender identity for each decoded message and alert on mismatches.
- Run software composition analysis against build artifacts to flag transitively pulled vulnerable revisions of the crate.
Monitoring Recommendations
- Monitor downstream client behavior for unexplained sync-driven state changes that do not correlate with legitimate user activity on other devices.
- Correlate Signal-derived application telemetry with linked-device inventories to detect sync traffic attributed to non-enrolled devices.
- Track upstream advisories from the whisperfish project for follow-on fixes affecting the sync message validation path.
How to Mitigate CVE-2025-24903
Immediate Actions Required
- Update libsignal-service-rs to a revision that includes commit 82d70f6720e762898f34ae76b0894b0297d9b2f8 or later.
- Rebuild and redeploy any Rust applications, including Signal-compatible clients, that depend on the affected crate.
- Audit application code for use of the Metadata struct, since the patch adds a was_encrypted field that is an API-breaking change requiring downstream adjustments.
Patch Information
The fix is published in the whisperfish libsignal-service-rs repository as commit 82d70f6720e762898f34ae76b0894b0297d9b2f8. Refer to the GitHub Security Advisory GHSA-r58q-66g9-h6g8 and the upstream commit for the full patch contents.
Workarounds
- No known workarounds are available according to the upstream advisory. Patching is the only effective remediation.
- Where immediate patching is not feasible, limit exposure by restricting the contact list of affected accounts and treating sync-driven state changes with skepticism until the update is applied.
# Update the dependency in Cargo.toml to a patched revision
cargo update -p libsignal-service
cargo build --release
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
