CVE-2020-25900

MEDIUM

HelloTalk < 3.4.1 - Exposure of Private Personal Information to an Unauthorized Actor

Title source: rule

Description

HelloTalk through 3.4.1 stores full-precision GPS coordinates even when the user had intended to share only a country or city. Furthermore, these coordinates are placed into a database on the client of other users. (The client side was changed in 2019 to encrypt that database.)

References (1)

Core 1

Core References

https://isopach.dev/CVE-2020-25900/

Scores

CVSS v3 5.3

EPSS 0.0020

EPSS Percentile 10.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-359

Status published

Products (1)

HelloTalk/HelloTalk < 3.4.1

Published Jun 05, 2026

Tracked Since Jun 05, 2026