CVE-2025-24904 is a vulnerability in libsignal-serviceโrs, a Rust implementation of the libsignalโserviceโjava library used for communicating with Signal servers. Before the fix, the library did not properly verify plaintext content envelopes, which allowed a server or a malicious client to inject these envelopes. This flaw could have bypassed endโtoโend encryption and authentication mechanisms.
The issue was resolved in commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, which adds a new field named was_encrypted to the Metadata struct. Although this update introduces a breaking change to the API, it is expected to be easily addressed by users.
See more details on: