CVE-2025-53940

HIGH

Quiet <6.1.0-alpha.4 - Timing Attack

Title source: llm

Description

Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for token verification. This allowed for a potential timing attack where an attacker would try different token values and observe tiny differences in the response time (wrong characters fail faster) to guess the whole token one character at a time. This is fixed in version 6.0.1.

References (3)

[Vendor Advisory] https://github.com/TryQuiet/quiet/security/advisories/GHSA-gpw8-w78h-xj67

[Issue Tracking] https://github.com/TryQuiet/quiet/issues/2820#issue-3021080269

[Issue Tracking] https://github.com/TryQuiet/quiet/pull/2928

Scores

CVSS v4 8.5

EPSS 0.0003

EPSS Percentile 9.8%

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-208

Status published

Products (1)

TryQuiet/quiet < 6.0.1

Published Jul 24, 2025

Tracked Since Feb 18, 2026