{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-04T14:13:09.065","vulnerabilities":[{"cve":{"id":"CVE-2025-53940","sourceIdentifier":"security-advisories@github.com","published":"2025-07-24T23:15:26.620","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for token verification. This allowed for a potential timing attack where an attacker would try different token values and observe tiny differences in the response time (wrong characters fail faster) to guess the whole token one character at a time. This is fixed in version 6.0.1."},{"lang":"es","value":"Quiet es una alternativa a las aplicaciones de chat en equipo como Slack, Discord y Element, que no requiere confiar en un servidor central ni ejecutar uno propio. En las versiones 6.1.0-alpha.4 y anteriores, la API de Quiet para la comunicación entre el backend y el frontend utilizaba una función de comparación insegura y no constante para la verificación de tokens. Esto permitía un posible ataque de sincronización: un atacante probaba diferentes valores de token y observaba pequeñas diferencias en el tiempo de respuesta (los caracteres incorrectos fallan más rápido) para adivinar el token completo, carácter por carácter. Esto se solucionó en la versión 6.0.1."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-208"}]}],"references":[{"url":"https://github.com/TryQuiet/quiet/issues/2820#issue-3021080269","source":"security-advisories@github.com"},{"url":"https://github.com/TryQuiet/quiet/pull/2928","source":"security-advisories@github.com"},{"url":"https://github.com/TryQuiet/quiet/security/advisories/GHSA-gpw8-w78h-xj67","source":"security-advisories@github.com"}]}}]}