CVE-2025-66803

Gravedad:

Pendiente de análisis

Tipo:

No Disponible / Otro tipo

Fecha de publicación:

20/01/2026

Última modificación:

20/01/2026

Descripción

*** Pendiente de traducción *** Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers.

Impacto

Referencias a soluciones, herramientas e información

https://github.com/hotwired/turbo/pull/1399
https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp
https://turbo.hotwired.dev/handbook/frames