CVE-2025-66803: Turbo Frame responses can restore stale session cookies
(updated )
A race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations.
References
- github.com/advisories/GHSA-qppm-g56g-fpvp
- github.com/hotwired/turbo
- github.com/hotwired/turbo/commit/899df356e9f4b3303cca217cd14b3f846edda10d
- github.com/hotwired/turbo/pull/1399
- github.com/hotwired/turbo/releases/tag/v8.0.21
- github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp
- nvd.nist.gov/vuln/detail/CVE-2025-66803
- turbo.hotwired.dev/handbook/frames
Code Behaviors & Features
Detect and mitigate CVE-2025-66803 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →