CVE-2025-53940
Description
Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for token verification. This allowed for a potential timing attack where an attacker would try different token values and observe tiny differences in the response time (wrong characters fail faster) to guess the whole token one character at a time. This is fixed in version 6.0.1.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2025-53940? +
How do I check if I'm vulnerable to CVE-2025-53940? +
Related Vulnerabilities
An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force attack against the hash …
An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force attack against the hash …
SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer (SASL, RFC 4422) …
Padding oracle attack vulnerability in Oberon microsystem AG’s Oberon PSA Crypto library in all versions since 1.0.0 and prior to …
Padding oracle attack vulnerability in Oberon microsystem AG’s ocrypto library in all versions since 3.1.0 and prior to 3.9.2 allows …
PyQuorum is a cryptographic library for secret sharing and key management. Prior to 0.2.1, the mul_mod function implements multiplication via …