CVE-2025-66803: Hotwired Turbo Race Condition Vulnerability

CVE-2025-66803 Overview

A race condition vulnerability has been identified in the turbo-frame element handler in Hotwired Turbo before version 8.0.x. This vulnerability occurs when logout operations fail due to delayed frame responses reapplying session cookies after the logout process has completed. The race condition can be exploited by remote attackers through selective network delays (such as delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers.

Critical Impact

Session persistence after logout can lead to unauthorized access to user accounts, particularly on shared or public computers where subsequent users could inherit an active session.

Affected Products

• Hotwired Turbo versions prior to 8.0.x
• Web applications utilizing turbo-frame elements for session management
• Applications relying on Turbo for logout functionality

Discovery Timeline

• 2026-01-20 - CVE-2025-66803 published to NVD
• 2026-01-21 - Last updated in NVD database

Technical Details for CVE-2025-66803

Vulnerability Analysis

This vulnerability is classified as CWE-362 (Race Condition), affecting the turbo-frame element handler in Hotwired Turbo. The core issue stems from a timing-dependent interaction between frame response processing and session cookie management during logout operations.

When a user initiates a logout, the application should clear session cookies and invalidate the user's authentication state. However, if a turbo-frame response that was initiated before the logout is still pending, the delayed response may reapply session cookies after the logout has completed. This creates a window where the session remains active despite the user's explicit attempt to log out.

The vulnerability requires specific timing conditions to exploit successfully. Remote attackers can manipulate network conditions to delay frame responses strategically, while physically proximate attackers on shared computers may encounter the race condition through normal network latency variations.

Root Cause

The root cause is improper synchronization in the turbo-frame element handler's cookie management logic. When processing frame responses, the handler reapplies session cookies without checking whether a logout operation has occurred between the initial request and the response arrival. This lack of state coordination allows stale authentication data to overwrite the cleared session state.

Attack Vector

The attack vector is network-based, requiring the attacker to either:

1. Remote exploitation: Manipulate network timing to delay turbo-frame responses until after a logout operation completes, causing the delayed response to restore session cookies
2. Physical proximity exploitation: Wait for natural network latency on shared computers where the race condition may occur organically

The exploitation scenario typically involves:

• A user with multiple turbo-frames loading content asynchronously
• The user initiating a logout while frame requests are still pending
• Delayed frame responses arriving after logout and reapplying session data
• A subsequent user gaining access to the restored session

For detailed technical information about the vulnerability mechanism, see the GitHub Security Advisory and the related pull request.

Detection Methods for CVE-2025-66803

Indicators of Compromise

• Session cookies being set after explicit logout operations in application logs
• Users reporting persistent login states after logging out, especially on shared computers
• Anomalous turbo-frame response timing patterns in web server access logs
• Multiple concurrent sessions for single users after logout attempts

Detection Strategies

• Monitor web server logs for turbo-frame requests that complete after logout endpoints are called for the same session
• Implement client-side logging to track session cookie state changes during logout flows
• Review application logs for session restoration events immediately following logout operations
• Deploy network traffic analysis to identify artificially delayed turbo-frame responses

Monitoring Recommendations

• Enable detailed session management logging to track cookie state transitions during authentication events
• Configure alerts for session cookie modifications that occur within a short window after logout requests
• Implement real-time monitoring of turbo-frame response timing anomalies
• Regularly audit shared computer environments for signs of session persistence issues

How to Mitigate CVE-2025-66803

Immediate Actions Required

• Upgrade Hotwired Turbo to version 8.0.x or later immediately
• Review logout implementation to ensure server-side session invalidation is properly synchronized
• Consider implementing additional client-side session verification after logout
• Audit applications using turbo-frame elements for similar timing vulnerabilities

Patch Information

The vulnerability is addressed in Hotwired Turbo version 8.0.x and later. The fix ensures proper synchronization between frame response handling and session management operations. Detailed patch information is available in the GitHub Pull Request #1399. The GitHub Security Advisory provides additional context and remediation guidance.

Workarounds

• Implement server-side session invalidation that cannot be overridden by client-side cookie restoration
• Add a logout verification step that checks session state after turbo-frame responses complete
• Cancel all pending turbo-frame requests when initiating logout operations
• For shared computer environments, implement forced session timeout mechanisms as an additional safeguard

For applications that cannot immediately upgrade, implementing server-side session token rotation during logout and validating session tokens on subsequent requests can mitigate the impact. Consult the Hotwired Turbo Handbook for best practices on frame handling.