CVE-2025-48066 is a vulnerability identified in the wire-webapp, the web application component of the open-source messaging service Wire. The issue arises from a regression introduced by a bug fix affecting the function responsible for deleting local data upon user logout. Specifically, when a user logs out and instructs the client to delete its local database, the deletion does not occur as intended. This flaw affects both temporary clients—those marking the device as a public computer during login—and regular clients who request deletion of all personal information and conversations upon logout. The vulnerability is categorized under CWE-226, which involves sensitive information remaining in resources that are not properly cleared before reuse. Although access to the physical machine is required to exploit this vulnerability, the failure to delete local data can lead to unauthorized access to sensitive user data stored locally. If encryption-at-rest is enabled, cryptographic materials cannot be exported, which somewhat mitigates the risk of data compromise. The issue has been addressed and fixed in wire-webapp version 2025-05-14-production.0. However, for devices running affected versions prior to this patch, manual deletion of the local database is necessary, especially for those that used the "This is a public computer" option or logged out with a request to delete local data. The CVSS v3.1 score is 6.0 (medium severity), reflecting the need for local access, high attack complexity, low privileges required, and user interaction, with a significant impact on confidentiality and integrity but no impact on availability.

For European organizations using the Wire messaging platform, particularly those leveraging the wire-webapp, this vulnerability poses a risk of sensitive data leakage from local devices. The failure to delete local databases upon logout means that if an attacker gains physical or remote access to a device, they could retrieve personal conversations and user information that should have been erased. This risk is heightened in environments where devices are shared or used in public or semi-public settings, such as hot-desking offices or shared workstations, common in many European enterprises. Although encryption-at-rest limits the exposure of cryptographic keys, the residual data could still contain sensitive metadata or unencrypted information. This could lead to breaches of confidentiality, potentially violating GDPR requirements concerning data protection and user privacy. The impact is particularly relevant for sectors handling sensitive communications, such as legal, financial, healthcare, and governmental organizations across Europe. Additionally, the need for manual remediation on affected devices increases operational overhead and the risk of incomplete mitigation, especially in large organizations with many users. The medium severity rating reflects that exploitation requires local access and user interaction, limiting remote exploitation but not eliminating insider threats or risks from lost/stolen devices.

To mitigate this vulnerability effectively, European organizations should: 1) Immediately update all wire-webapp instances to version 2025-05-14-production.0 or later to apply the official fix. 2) Conduct an inventory of devices that used the "This is a public computer" option or logged out with a request to delete local data on affected versions and manually delete the local database files on these devices to ensure no residual sensitive data remains. 3) Implement endpoint management policies that enforce encryption-at-rest and restrict physical access to devices, reducing the risk of local data compromise. 4) Educate users about the importance of logging out properly and the risks associated with shared device usage, emphasizing manual database deletion if they suspect the device is affected. 5) Employ endpoint detection and response (EDR) tools to monitor for unauthorized access attempts to local storage areas where wire-webapp data is cached. 6) Review and enhance device decommissioning and handover procedures to ensure all local data is securely wiped. 7) Consider additional application-level encryption or secure containerization for sensitive messaging data to add layers of protection beyond the application’s native controls.