Home > Vulnerability Database > CVE-2025-53940

Mend.io Vulnerability Database

CVE-2025-53940

Good to know:

Date: July 24, 2025

Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for token verification. This allowed for a potential timing attack where an attacker would try different token values and observe tiny differences in the response time (wrong characters fail faster) to guess the whole token one character at a time. This is fixed in version 6.0.1.

Severity Score

7.8

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-53940

Url: https://github.com/TryQuiet/quiet/security/advisories/GHSA-gpw8-w78h-xj67

Url: https://github.com/TryQuiet/quiet/issues/2820#issue-3021080269

Url: https://github.com/TryQuiet/quiet/pull/2928

Url: https://www.mend.io/vulnerability-database/CVE-2025-53940

Severity Score

7.8

Weakness Type (CWE)

Observable Timing Discrepancy

CWE-208

Top Fix

Upgrade Version

Upgrade to version https://github.com/TryQuiet/quiet.git - @quiet/desktop@6.0.1

Learn More

CVSS v3.1

Base Score:	7.8
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-53940

Good to know:

Date: July 24, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?