CVE-2025-48061 is a medium-severity vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting the wire-webapp, the web application component of the open-source messaging service Wire. The vulnerability arises from a regression introduced in the application, causing user sessions not to be properly invalidated upon logout. Specifically, when a user logs out, the session token or authentication state remains valid, allowing the user to be automatically logged back in upon reopening the application without re-authentication. This behavior does not occur if the user logs in as a temporary user by selecting "This is a public computer" during login or opts to delete all personal information and conversations on the device upon logout. The root cause is insufficient session expiration controls, which violate secure session management best practices by failing to terminate sessions effectively. The issue has been addressed and fixed in wire-webapp version 2025-05-20-production.0. Until users upgrade, the vulnerability can be mitigated by either deleting all local data upon logout or using the temporary client login option. The CVSS v3.1 score is 5.6 (medium), reflecting that exploitation requires local access (AV:L), high attack complexity (AC:H), and high privileges (PR:H), with user interaction (UI:R) needed. The impact includes potential unauthorized access to user accounts, compromising confidentiality and integrity of messages and personal data, though availability is not affected. No known exploits are reported in the wild as of now.

For European organizations using the Wire messaging platform, this vulnerability could lead to unauthorized access to sensitive communications if an attacker gains physical or local access to a user's device. Since the session remains active after logout, an attacker with access to the device could reopen the webapp and gain access without credentials, potentially exposing confidential business communications, personal data, or intellectual property. This risk is particularly relevant for organizations with remote or shared work environments where devices may be left unattended. The confidentiality and integrity of communications are at risk, which could lead to data breaches or espionage. However, the requirement for local access and high privileges limits remote exploitation, reducing the risk of large-scale automated attacks. The vulnerability also poses privacy concerns under GDPR, as unauthorized access to personal data could result in regulatory penalties. Organizations relying on Wire for secure messaging must consider this risk in their threat models and incident response plans.

To mitigate this vulnerability, European organizations should prioritize upgrading wire-webapp to version 2025-05-20-production.0 or later, where the issue is fixed. Until then, users should be instructed to always select the "This is a public computer" option when logging in on shared or non-personal devices, which enforces session expiration. Additionally, users should be encouraged to use the "Delete all your personal information and conversations on this device" option upon logout to clear local session data. Organizations can implement endpoint management policies to enforce browser data clearance or session logout procedures. Monitoring for unusual session persistence or access patterns on devices can help detect exploitation attempts. Training users on secure logout practices and physical device security is also critical. For high-security environments, consider restricting wire-webapp usage to dedicated devices with strict access controls. Finally, integrating session timeout policies and multi-factor authentication can further reduce risk.