DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-66803: The Undead Session: Explaining the Race Condition in Hotwired Turbo

#security #cve #cybersecurity

The Undead Session: Explaining the Race Condition in Hotwired Turbo

Vulnerability ID: CVE-2025-66803
CVSS Score: High
Published: 2026-01-20

A critical race condition in Hotwired Turbo allows delayed background requests to restore destroyed session cookies, effectively logging a user back in after they have signed out.

TL;DR

If you use Turbo Frames with cookie-based sessions (like default Rails), a slow network request from a frame can arrive after a user logs out. Because the browser processes the 'Set-Cookie' header from the delayed response immediately, the old session cookie is resurrected, and the user is re-authenticated without their knowledge.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-362 (Race Condition)
  • Attack Vector: Network / User Interaction
  • CVSS: High (Estimated)
  • Vulnerability Type: Session Restoration
  • Impact: Authentication Bypass
  • Patch Status: Released (v8.0.21)

Affected Systems

  • Ruby on Rails applications using Turbo
  • Any web application using @hotwired/turbo < 8.0.21
  • Single Page Applications (SPAs) relying on Turbo Frames
  • @hotwired/turbo: < 8.0.21 (Fixed in: 8.0.21)

Code Analysis

Commit: 899df35

Abort fetch requests when frame is disconnected

if (!this.element.hasAttribute("recurse")) { this.#currentFetchRequest?.cancel() }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade @hotwired/turbo to version 8.0.21 or later immediately.
  • Switch from client-side cookie storage (CookieStore) to server-side session storage (Redis/Memcached) to render stale cookies useless.
  • Implement aggressive cache-control headers on authenticated endpoints to prevent browser caching of sensitive responses.

Remediation Steps:

  1. Check your package.json or importmap.rb for @hotwired/turbo version.
  2. Run bundle update turbo-rails or yarn upgrade @hotwired/turbo.
  3. Verify that turbo-frame requests are cancelled in the Network tab when navigating away from a page.

References

Read the full report for CVE-2025-66803 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)