CVE-2025-24903 - Exploit in libsignal-service-rs allows contacts to forge sync messages

libsignal-service-rs is a popular Rust implementation of the libsignal-service-java library, providing core functionality for communicating with Signal servers. A vulnerability has been discovered that allows any contact to forge a sync message, impersonating another device associated with the user. The issue was resolved in commit 82d70f672e762898f34ae76b0894b0297d9b2f8, but users with earlier versions of the library should take immediate action to secure their communications.

Consider the following code snippet that demonstrates the vulnerability

// Old version of Metadata struct before patch
pub struct Metadata {
    thread_ts: i64,
    sender_e164: Option<String>,
    sender_uuid: String,
    sender_device: u32,
    timestamp: u64,
    needs_receipt: bool,
}

As seen above, the Metadata struct does not include the was_encrypted field, causing the origin of sync messages to remain unchecked. This opens the doors for potential exploitation by contacts who may forge sync messages, impersonating another device belonging to the local user.

References

For more details, please refer to the original commit that resolves the vulnerability. The solution provided in this commit adds a new field was_encrypted to the Metadata struct, breaking the API but ensuring safer communication:

// Patched Metadata struct
pub struct Metadata {
    thread_ts: i64,
    sender_e164: Option<String>,
    sender_uuid: String,
    sender_device: u32,
    timestamp: u64,
    needs_receipt: bool,
    was_encrypted: bool, // This new field ensures safety
}

Exploit Details

The exploit takes advantage of the lack of origin checks for sync messages in dispatch_message() method. An attacker may craft a custom sync message and send it as if it was from another device belonging to the same user. Since the method does not check the message's origin, this could lead to the user believing the message genuinely originated from another device.

Proposed Solution

To resolve the issue, users should update their libsignal-service-rs version immediately to include the latest commits, specifically the commit hash 82d70f672e762898f34ae76b0894b0297d9b2f8. This patch introduces a breaking change to the API, but it resolves the vulnerability by verifying the message's origin and ensuring safer communication.

Workarounds

No known workarounds are available at this time. Updating to the latest version of libsignal-service-rs and applying the mentioned patch remains the best course of action for ensuring secure communications.

Timeline

Published on: 02/13/2025 16:16:48 UTC