CVE-2025-66803

MEDIUM

4.8

Description

Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers.

CVE Details

CVSS v3.1 Score4.8

SeverityMEDIUM

CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack VectorNETWORK

ComplexityHIGH

Privileges RequiredNONE

User InteractionNONE

Published1/20/2026

Last Modified1/30/2026

Sourcenvd

Honeypot Sightings0

Affected Products

hotwired:turbo

Weaknesses (CWE)

CWE-362

References

https://github.com/hotwired/turbo/pull/1399(cve@mitre.org)

https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp(cve@mitre.org)

https://turbo.hotwired.dev/handbook/frames(cve@mitre.org)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.