Vulnerability Database

318,638

Total vulnerabilities in the database

CVE-2025-66803

Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers.

Published: Jan 20, 2026
Updated: Jan 21, 2026
CVE: CVE-2025-66803
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

No affected software listed.

https://github.com/hotwired/turbo/pull/1399
https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp
https://turbo.hotwired.dev/handbook/frames

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo