Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
Advisories
| Source | ID | Title |
|---|---|---|
 Github GHSA |
GHSA-qppm-g56g-fpvp | Turbo Frame responses can restore stale session cookies |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 20 Jan 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers. | |
| References |
|
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2026-01-20T18:38:44.792Z
Reserved: 2025-12-08T00:00:00.000Z
Link: CVE-2025-66803
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-01-20T19:15:49.537
Modified: 2026-01-20T19:15:49.537
Link: CVE-2025-66803
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses
No weakness.