CVE-2019-9970
CVE-2019-9970 is a medium-severity vulnerability in Signal Private Messenger with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v2: 4.3
- EPSS exploit prediction: 2% (76th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Signal Private Messenger
- Published:
- Last modified:
Description
Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal Private Messenger application through 4.35.3 for Android are vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if (for example) Latin and Cyrillic characters exist in the same domain name, and the available font has an identical representation of characters from different alphabets.
Frequently asked questions
- What is CVE-2019-9970?
- Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal Private Messenger application through 4.35.3 for Android are vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if (for example) Latin and Cyrillic characters exist in the same domain name, and the available font has an identical representation of characters from different alphabets.
- How severe is CVE-2019-9970?
- CVE-2019-9970 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2019-9970 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (76th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2019-9970?
- CVE-2019-9970 primarily affects Signal Private Messenger. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2019-9970?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2019-9970 published?
- CVE-2019-9970 was published on 2019-03-24 and last updated on 2026-06-17.
References
- http://www.securityfocus.com/bid/107550
- https://github.com/blazeinfosec/advisories/blob/master/signal-advisory.txt
Affected products (2)
- cpe:2.3:a:signal:private_messenger:*:*:*:*:*:android:*:*
- cpe:2.3:a:signal:signal-desktop:*:*:*:*:*:*:*:*
More vulnerabilities in Signal Private Messenger
- CVE-2019-17192 — Critical (CVSS 9.8): The WebRTC component in the Signal Private Messenger application through 4.47.7 for Android processes videoconferencing…
- CVE-2019-17191 — High (CVSS 7.5): The Signal Private Messenger application before 4.47.7 for Android allows a caller to force a call to be answered,…
- CVE-2020-5753 — Medium (CVSS 5.3): Signal Private Messenger Android v4.59.0 and up and iOS v3.8.1.5 and up allows a remote non-contact to ring a victim's…
- CVE-2018-3988 — Medium (CVSS 4.7): Signal Messenger for Android 4.24.8 may expose private information when using "disappearing messages." If a user uses…