← back
CVE-2025-66803

CVE-2025-66803

CVSS 4.8 MEDIUMEPSS 0.2%CWE-362
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.8EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
20 Jan 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/hotwired/turbo/pull/1399https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvphttps://turbo.hotwired.dev/handbook/frames