CVE-2025-66803 identifies a race condition vulnerability in the turbo-frame element handler of Hotwired Turbo, a popular web framework component used to enhance user experience by asynchronously updating parts of a web page. The vulnerability exists in versions prior to 8.0.x and arises because delayed responses from turbo-frame elements can reapply session cookies after a user has logged out. This race condition causes logout operations to fail, allowing session cookies to persist beyond intended termination. Remote attackers can exploit this by selectively delaying network requests based on timing or sequence, effectively causing the race condition to trigger and reapply session cookies. Additionally, attackers physically proximate to a shared computer can exploit naturally occurring race conditions without network manipulation. The vulnerability is classified under CWE-362 (Race Condition) and has a CVSS v3.1 base score of 4.8, indicating medium severity. The attack vector is network-based with high attack complexity, no privileges or user interaction required, and impacts confidentiality and integrity but not availability. No patches or known exploits are currently documented, emphasizing the need for proactive mitigation. This vulnerability can lead to unauthorized session persistence, undermining user logout security and potentially allowing attackers to hijack sessions or maintain access after logout.

For European organizations, the primary impact of CVE-2025-66803 is the potential compromise of user session management, leading to unauthorized access persistence after logout. This undermines confidentiality by allowing attackers to maintain session cookies and integrity by invalidating logout operations. While availability is not affected, the risk of session hijacking or unauthorized access can lead to data breaches, compliance violations (e.g., GDPR), and reputational damage. Organizations relying on Hotwired Turbo for critical web applications, especially those handling sensitive personal or financial data, face increased risk. The attack complexity is high, requiring network manipulation or physical proximity, which somewhat limits widespread exploitation but does not eliminate risk in shared or public environments. European entities with remote workforce or shared device usage scenarios are particularly vulnerable. The absence of known exploits suggests this is a newly disclosed vulnerability, providing a window for mitigation before active exploitation.

1. Upgrade Hotwired Turbo to version 8.0.x or later where this race condition is resolved. 2. Implement strict session management controls, including server-side session invalidation upon logout to prevent reuse of session cookies. 3. Employ network-level protections such as anomaly detection to identify and block suspicious request delays or timing manipulations that could trigger the race condition. 4. For environments with shared computers, enforce user session isolation and automatic session termination policies to reduce risk from physical proximity attacks. 5. Conduct security reviews and testing of web applications using turbo-frame elements to identify and remediate potential session handling issues. 6. Educate users about the risks of shared device usage and encourage secure logout practices. 7. Monitor web application logs for irregular session cookie reapplications or failed logout attempts. 8. Consider implementing multi-factor authentication to reduce the impact of session persistence exploitation.