CVE-2025-48061

wire-webapp is the web application for the open-source messaging service Wire. A change caused a regression resulting in sessions not being properly invalidated. A user that logged out of the Wire webapp, could have been automatically logged in again after re-opening the application. This does not happen when the user is logged in as a temporary user by selecting "This is a public computer" during login or the user selects "Delete all your personal information and conversations on this device" upon logout. The underlying issue has been fixed with wire-webapp version 2025-05-20-production.0. As a workaround, this behavior can be prevented by either deleting all information upon logout as well as logging in as a temporary client.

CVSS v3 5.6 MEDIUM

5.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.3 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/wireapp/wire-webapp/security/advisories/GHSA-7r6m-qjwm-w44q

Configurations

No configuration.

History

23 May 2025, 15:55

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-22 17:15

Updated : 2025-05-23 15:55

NVD link : CVE-2025-48061

Mitre link : CVE-2025-48061

CVE.ORG link : CVE-2025-48061

JSON object : View

Products Affected

No product.

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2025-48061", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 0.3}]}, "published": "2025-05-22T17:15:25.033", "references": [{"url": "https://github.com/wireapp/wire-webapp/security/advisories/GHSA-7r6m-qjwm-w44q", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "wire-webapp is the web application for the open-source messaging service Wire. A change caused a regression resulting in sessions not being properly invalidated. A user that logged out of the Wire webapp, could have been automatically logged in again after re-opening the application. This does not happen when the user is logged in as a temporary user by selecting \"This is a public computer\" during login or the user selects \"Delete all your personal information and conversations on this device\" upon logout. The underlying issue has been fixed with wire-webapp version 2025-05-20-production.0. As a workaround, this behavior can be prevented by either deleting all information upon logout as well as logging in as a temporary client."}, {"lang": "es", "value": "wire-webapp es la aplicaci\u00f3n web para el servicio de mensajer\u00eda de c\u00f3digo abierto Wire. Un cambio provoc\u00f3 una regresi\u00f3n que impidi\u00f3 que las sesiones se invalidaran correctamente. Un usuario que cerraba sesi\u00f3n en la aplicaci\u00f3n web de Wire podr\u00eda haber vuelto a iniciar sesi\u00f3n autom\u00e1ticamente al reabrirla. Esto no ocurre cuando el usuario inicia sesi\u00f3n como usuario temporal seleccionando \"Este es un equipo p\u00fablico\" al iniciar sesi\u00f3n o seleccionando \"Eliminar toda su informaci\u00f3n personal y conversaciones en este dispositivo\" al cerrar sesi\u00f3n. El problema subyacente se ha solucionado con la versi\u00f3n 2025-05-20-production.0 de wire-webapp. Como workaround, este comportamiento se puede evitar eliminando toda la informaci\u00f3n al cerrar sesi\u00f3n o iniciando sesi\u00f3n como cliente temporal."}], "lastModified": "2025-05-23T15:55:02.040", "sourceIdentifier": "security-advisories@github.com"}