CVE-2025-66803 identifies a race condition vulnerability in the turbo-frame element handler component of Hotwired Turbo, a popular web framework used to enhance user experience by enabling partial page updates without full reloads. The vulnerability exists in versions prior to 8.0.x and manifests during logout operations. Specifically, when a user logs out, the system is expected to invalidate session cookies to terminate the session securely. However, due to a race condition, delayed responses from turbo-frame elements can reapply session cookies after logout has occurred. This happens because the asynchronous nature of turbo-frame requests allows an attacker to manipulate the timing or sequence of network requests, causing the session cookie to be restored inadvertently. Remote attackers can exploit this by selectively delaying network traffic, for example, by intercepting and holding back specific requests to reorder their arrival. Additionally, attackers physically proximate to shared computers can exploit naturally occurring race conditions without sophisticated network manipulation. The consequence is that a user’s session may remain active or be restored after logout, enabling unauthorized access and session hijacking. The vulnerability does not require user interaction beyond normal browsing and does not depend on authentication to exploit, increasing its risk profile. No official CVSS score has been assigned yet, but the vulnerability’s impact on session management and user authentication integrity is significant. No patches or fixes are currently linked, indicating that affected organizations must monitor for updates and consider interim mitigations. The vulnerability is particularly relevant for web applications relying on Hotwired Turbo for session and UI management, which are common in modern web development stacks.

For European organizations, this vulnerability poses a significant risk to user session security and data confidentiality. If exploited, attackers can maintain or regain access to user sessions after logout, potentially accessing sensitive personal or corporate information, performing unauthorized actions, or escalating privileges. This undermines trust in web applications and can lead to regulatory non-compliance, especially under GDPR, which mandates strict protection of personal data and session integrity. The risk is heightened in environments with shared computers, such as public terminals or corporate hot desks, common in many European workplaces. Additionally, remote exploitation via network delays could be leveraged in targeted attacks against high-value users or systems. The failure of logout operations can also disrupt availability by complicating session management and increasing support overhead. Organizations in sectors such as finance, healthcare, and government, which rely heavily on secure web applications, are particularly vulnerable. The lack of an immediate patch increases exposure time, necessitating proactive mitigation. The threat also impacts trust in web frameworks and may slow adoption of Hotwired Turbo-based solutions until resolved.

1. Monitor official Hotwired Turbo channels for patches and upgrade to version 8.0.x or later as soon as it becomes available to eliminate the race condition. 2. Implement strict session management policies server-side, including immediate invalidation of session tokens upon logout and server-side session expiration checks to prevent reuse of stale cookies. 3. Employ network-level controls such as rate limiting, request sequencing enforcement, and detection of anomalous request delays to reduce the feasibility of selective network delays by attackers. 4. For shared or public computers, enforce additional logout confirmation steps and clear all session data from browsers and caches immediately upon logout. 5. Use Content Security Policy (CSP) and SameSite cookie attributes to restrict cookie scope and reduce risk of session cookie reuse. 6. Conduct security awareness training for users about the risks of shared devices and encourage use of private browsing modes where feasible. 7. Deploy web application firewalls (WAFs) with custom rules to detect and block suspicious request timing patterns indicative of exploitation attempts. 8. Perform regular security testing and code reviews focusing on asynchronous request handling and session management logic to identify similar race conditions early.