Description
Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for token verification. This allowed for a potential timing attack where an attacker would try different token values and observe tiny differences in the response time (wrong characters fail faster) to guess the whole token one character at a time. This is fixed in version 6.0.1.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/TryQuiet/quiet/security/advisories/GHSA-gpw8-w78h-xj67
Issue Tracking x_refsource_misc
https://github.com/TryQuiet/quiet/issues/2820#issue-3021080269
Issue Tracking x_refsource_misc
https://github.com/TryQuiet/quiet/pull/2928
Scores
CVSS v4
8.5
EPSS
0.0250
EPSS Percentile
82.6%
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-208
Status
published
Products (1)
TryQuiet/quiet
< 6.0.1
Published
Jul 24, 2025
Tracked Since
Feb 18, 2026