CVE-2025-48061

CVE-2025-48061 is a medium-severity vulnerability with a CVSS 3.x base score of 5.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-613.

Key facts

Description

wire-webapp is the web application for the open-source messaging service Wire. A change caused a regression resulting in sessions not being properly invalidated. A user that logged out of the Wire webapp, could have been automatically logged in again after re-opening the application. This does not happen when the user is logged in as a temporary user by selecting "This is a public computer" during login or the user selects "Delete all your personal information and conversations on this device" upon logout. The underlying issue has been fixed with wire-webapp version 2025-05-20-production.0. As a workaround, this behavior can be prevented by either deleting all information upon logout as well as logging in as a temporary client.

Frequently asked questions

What is CVE-2025-48061?
wire-webapp is the web application for the open-source messaging service Wire. A change caused a regression resulting in sessions not being properly invalidated. A user that logged out of the Wire webapp, could have been automatically logged in again after re-opening the application. This does not happen when the user is logged in as a temporary user by selecting "This is a public computer" during login or the user selects "Delete all your personal information and conversations on this device" upon logout. The underlying issue has been fixed with wire-webapp version 2025-05-20-production.0. As a workaround, this behavior can be prevented by either deleting all information upon logout as well as logging in as a temporary client.
How severe is CVE-2025-48061?
CVE-2025-48061 has a CVSS 3.x base score of 5.6, rated medium severity. It is exploitable over local access with high attack complexity, requires high privileges and user interaction. Impact on confidentiality is high, integrity high, and availability none.
Is CVE-2025-48061 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (2nd percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2025-48061?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-48061 have an EU (EUVD) identifier?
Yes. CVE-2025-48061 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-16186.
When was CVE-2025-48061 published?
CVE-2025-48061 was published on 2025-05-22 and last updated on 2026-06-17.

References

Other CWE-613 (Insufficient Session Expiration) vulnerabilities

Browse all CWE-613 (Insufficient Session Expiration) vulnerabilities →