Home > Vulnerability Database > CVE-2025-66803

Mend.io Vulnerability Database

CVE-2025-66803

Good to know:

Date: January 19, 2026

Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers.

Severity Score

4.8

Related Resources (8)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66803

Url: https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp

Url: https://github.com/hotwired/turbo/releases/tag/v8.0.21

Url: https://github.com/hotwired/turbo/commit/899df356e9f4b3303cca217cd14b3f846edda10d

Url: https://github.com/hotwired/turbo

Url: https://turbo.hotwired.dev/handbook/frames

Url: https://github.com/hotwired/turbo/pull/1399

Url: https://www.mend.io/vulnerability-database/CVE-2025-66803

Severity Score

4.8

Weakness Type (CWE)

Insufficient Session Expiration

CWE-613

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-362

Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-367

Top Fix

Upgrade Version

Upgrade to version @hotwired/turbo - 8.0.21;https://github.com/hotwired/turbo.git - v8.0.21

Learn More

CVSS v3.1

Base Score:	4.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66803

Good to know:

Date: January 19, 2026

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?