CVE-2025-24904

Summary

CVE-2025-24904 is a vulnerability affecting the libsignal-service-rs library, a Rust implementation of the libsignal-service-java library used for communication with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, this library failed to properly encrypt content envelopes, leaving them susceptible to injection by malicious servers or clients. This issue potentially bypassed end-to-end encryption and authentication, posing a significant security risk. The vulnerability has since been addressed with commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, which adds a new `was_encrypted` field to the `Metadata` struct. Although this modification may break the API, it is expected to be easily resolved. No known workarounds are currently available for users affected by this vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.