Primary

Context

libsignal-service-rs Sync Message Forgery Vulnerability

Vulnerability

A vulnerability in libsignal-service-rs, a Rust implementation of the libsignal protocol for Signal server communication, allows any contact to forge a sync message, impersonating another device of the local user. This issue arises because the origin of sync messages is not verified. The vulnerability is present in versions prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8.

Impact

Exploitation of this vulnerability allows for the unauthorized impersonation of devices in sync message exchanges, potentially leading to miscommunication or unauthorized actions based on the forged messages.

Remediation

Users can upgrade to libsignal-service-rs version 82d70f6720e762898f34ae76b0894b0297d9b2f8 or later. Note that this version introduces a breaking change in the Metadata struct by adding a was_encrypted field.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

5.9

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

5.9

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

libsignal-service-rs Sync Message Forgery Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating