Token Verification Vulnerability in Quiet by TryQuiet
CVE-2025-53940

8.5HIGH

Key Information:

Vendor

Tryquiet

Status
Quiet
Vendor
CVE Published:
24 July 2025

What is CVE-2025-53940?

A vulnerability exists in Quiet, an alternative to traditional team communication tools like Slack and Discord, affecting versions up to 6.1.0-alpha.4. The backend/frontend communication API utilized an insecure, non-constant-time comparison function for token validation. This flaw made it susceptible to timing attacks, enabling attackers to infer token values by measuring response times. As incorrect tokens were processed faster, malicious actors could potentially guess valid tokens one character at a time. The issue was addressed and resolved in version 6.0.1 of Quiet.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

quiet < 6.0.1

References

https://github.com/TryQuiet/quiet/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/TryQuiet/quiet/issues/2820#issue-30210...
x_refsource_MISC
https://github.com/TryQuiet/quiet/pull/2928
x_refsource_MISC

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.