Primary

Context

libsignal-service-rs Plaintext Envelope Injection Vulnerability Bypassing Encryption and Authentication

Vulnerability

A vulnerability in libsignal-service-rs, a Rust implementation of the libsignal protocol for Signal server communication, allows for the injection of plaintext content envelopes by a server or malicious client. This injection could potentially bypass end-to-end encryption and authentication. The issue affects version 018ea9db7 and prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8.

Impact

Exploitation of this vulnerability could lead to plaintext envelopes being accepted without proper encryption, allowing for unauthorized content injection that could bypass Signal's end-to-end encryption and authentication mechanisms.

Remediation

Users can update to version 82d70f6720e762898f34ae76b0894b0297d9b2f8, which addresses this vulnerability by adding a metadata field to indicate whether an envelope was encrypted, thereby restoring proper envelope validation.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.9

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.9

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

libsignal-service-rs Plaintext Envelope Injection Vulnerability Bypassing Encryption and Authentication

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating