CVE-2025-49846: CWE-117: Improper Output Neutralization for Logs in wireapp wire-ios
wire-ios is an iOS client for the Wire secure messaging application. From Wire iOS 3.111.1 to before 3.124.1, messages that were visible in the view port have been logged to the iOS system logs in clear text. Wire application logs created and managed by the application itself were not affected, especially not the logs users can export and send to Wire support. The iOS logs can only be accessed if someone had (physical) access to the underlying unlocked device. The issue manifested itself by calling canOpenUrl() and passing an invalid URL object. When iOS then performs the check and fails, it logs the contents to the system log. This is not documented behaviour. Wire released an emergency fix with version 3.124.1. As a workaround, users can reset their iOS device to remove the offending logs. Since Wire cannot access or modify iOS system logs, there's no other workaround other than a reset.
AI Analysis
Technical Summary
CVE-2025-49846 is a medium-severity vulnerability affecting the Wire iOS client application versions from 3.111.1 up to but not including 3.124.1. Wire is a secure messaging platform, and the iOS client is widely used for encrypted communications. The vulnerability arises due to improper output neutralization for logs (CWE-117) combined with sensitive data being logged in clear text (CWE-532). Specifically, messages visible in the viewport of the Wire iOS app were inadvertently logged to the iOS system logs in plaintext. This occurred when the app called the iOS API canOpenUrl() with an invalid URL object, causing iOS to log the URL contents to the system log. This logging behavior is undocumented by Apple. Importantly, the Wire app’s own logs, including those exportable to support, were not affected. The sensitive data exposure is limited to the iOS system logs, which can only be accessed if an attacker has physical access to an unlocked device. Wire addressed this issue with an emergency patch in version 3.124.1. The only workaround prior to patching is to reset the iOS device to clear the system logs, as Wire cannot modify or delete iOS system logs. The CVSS 4.0 vector indicates local attack vector, low attack complexity, partial privileges required, partial user interaction, and high impact on confidentiality but no impact on integrity or availability. There are no known exploits in the wild at this time.
Potential Impact
For European organizations using Wire iOS clients, this vulnerability poses a risk of sensitive message exposure if an attacker gains physical access to an unlocked device. This could lead to confidentiality breaches of sensitive communications, potentially exposing personal data, corporate secrets, or other confidential information. The impact is mitigated by the requirement for physical access and an unlocked device, limiting remote exploitation. However, in environments where devices are shared, lost, or stolen, this vulnerability could facilitate insider threats or opportunistic data theft. Given Wire’s use in privacy-conscious sectors, including legal, healthcare, and corporate communications, the exposure of message content—even temporarily—could have regulatory and reputational consequences under GDPR and other data protection laws. The vulnerability does not affect message integrity or availability, and no remote exploitation is possible, limiting the scope of impact primarily to confidentiality on compromised devices.
Mitigation Recommendations
European organizations should immediately update all Wire iOS clients to version 3.124.1 or later to remediate this vulnerability. Until updates are deployed, organizations should enforce strict physical security controls over iOS devices, including mandatory device locking with strong passcodes or biometric authentication to prevent unauthorized access. Device management solutions should be used to monitor and restrict physical access risks. Users should be instructed to reset their iOS devices to clear existing system logs if they suspect exposure. Additionally, organizations should review their incident response and data protection policies to address potential data exposure from lost or stolen devices. Regular audits of device security posture and user training on physical security best practices are recommended. Since Wire cannot control iOS system logs, reliance on OS-level security is critical. Finally, organizations should monitor for any updates from Apple regarding logging behavior and consider reporting any suspicious device access attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Norway, Switzerland, Belgium
CVE-2025-49846: CWE-117: Improper Output Neutralization for Logs in wireapp wire-ios
Description
wire-ios is an iOS client for the Wire secure messaging application. From Wire iOS 3.111.1 to before 3.124.1, messages that were visible in the view port have been logged to the iOS system logs in clear text. Wire application logs created and managed by the application itself were not affected, especially not the logs users can export and send to Wire support. The iOS logs can only be accessed if someone had (physical) access to the underlying unlocked device. The issue manifested itself by calling canOpenUrl() and passing an invalid URL object. When iOS then performs the check and fails, it logs the contents to the system log. This is not documented behaviour. Wire released an emergency fix with version 3.124.1. As a workaround, users can reset their iOS device to remove the offending logs. Since Wire cannot access or modify iOS system logs, there's no other workaround other than a reset.
AI-Powered Analysis
Technical Analysis
CVE-2025-49846 is a medium-severity vulnerability affecting the Wire iOS client application versions from 3.111.1 up to but not including 3.124.1. Wire is a secure messaging platform, and the iOS client is widely used for encrypted communications. The vulnerability arises due to improper output neutralization for logs (CWE-117) combined with sensitive data being logged in clear text (CWE-532). Specifically, messages visible in the viewport of the Wire iOS app were inadvertently logged to the iOS system logs in plaintext. This occurred when the app called the iOS API canOpenUrl() with an invalid URL object, causing iOS to log the URL contents to the system log. This logging behavior is undocumented by Apple. Importantly, the Wire app’s own logs, including those exportable to support, were not affected. The sensitive data exposure is limited to the iOS system logs, which can only be accessed if an attacker has physical access to an unlocked device. Wire addressed this issue with an emergency patch in version 3.124.1. The only workaround prior to patching is to reset the iOS device to clear the system logs, as Wire cannot modify or delete iOS system logs. The CVSS 4.0 vector indicates local attack vector, low attack complexity, partial privileges required, partial user interaction, and high impact on confidentiality but no impact on integrity or availability. There are no known exploits in the wild at this time.
Potential Impact
For European organizations using Wire iOS clients, this vulnerability poses a risk of sensitive message exposure if an attacker gains physical access to an unlocked device. This could lead to confidentiality breaches of sensitive communications, potentially exposing personal data, corporate secrets, or other confidential information. The impact is mitigated by the requirement for physical access and an unlocked device, limiting remote exploitation. However, in environments where devices are shared, lost, or stolen, this vulnerability could facilitate insider threats or opportunistic data theft. Given Wire’s use in privacy-conscious sectors, including legal, healthcare, and corporate communications, the exposure of message content—even temporarily—could have regulatory and reputational consequences under GDPR and other data protection laws. The vulnerability does not affect message integrity or availability, and no remote exploitation is possible, limiting the scope of impact primarily to confidentiality on compromised devices.
Mitigation Recommendations
European organizations should immediately update all Wire iOS clients to version 3.124.1 or later to remediate this vulnerability. Until updates are deployed, organizations should enforce strict physical security controls over iOS devices, including mandatory device locking with strong passcodes or biometric authentication to prevent unauthorized access. Device management solutions should be used to monitor and restrict physical access risks. Users should be instructed to reset their iOS devices to clear existing system logs if they suspect exposure. Additionally, organizations should review their incident response and data protection policies to address potential data exposure from lost or stolen devices. Regular audits of device security posture and user training on physical security best practices are recommended. Since Wire cannot control iOS system logs, reliance on OS-level security is critical. Finally, organizations should monitor for any updates from Apple regarding logging behavior and consider reporting any suspicious device access attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-06-11T14:33:57.800Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6866b5c76f40f0eb72995dad
Added to database: 7/3/2025, 4:54:31 PM
Last enriched: 7/3/2025, 5:10:09 PM
Last updated: 7/3/2025, 7:24:31 PM
Views: 4
Related Threats
CVE-2025-5322: CWE-434 Unrestricted Upload of File with Dangerous Type in e4jvikwp VikRentCar Car Rental Management System
HighCVE-2025-53367: CWE-787: Out-of-bounds Write in DjvuNet DjVuLibre
HighCVE-2025-49826: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in vercel next.js
HighCVE-2025-49005: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in vercel next.js
LowCVE-2025-52554: CWE-862: Missing Authorization in n8n-io n8n
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.