Signal HTML tag injection advisory


Title: Signal-desktop HTML tag injection

Date Published: 2018-05-14

Last Update: 2018-05-14

CVE Name: CVE-2018-10994

Class: Code injection

Remotely Exploitable: Yes

Locally Exploitable: No

Vendors contacted:

Vulnerability Description:

Signal-desktop is the standalone desktop version of the secure Signal messenger. This software is vulnerable to remote code execution from a malicious contact, by sending a specially crafted message containing HTML code that is injected into the chat windows (Cross-site scripting).

Vulnerable Packages:

  • Signal-desktop messenger v1.7.1
  • Signal-desktop messenger v1.8.0
  • Signal-desktop messenger v1.9.0
  • Signal-desktop messenger v1.10.0

Originally found in v1.9.0 and v1.10.0, but after reviewing the source code the aforementioned are the impacted versions.

Solution/Vendor Information/Workaround

Upgrade to Signal-desktop messenger v1.10.1 or v1.11.0-beta.3
For safer communications on desktop systems, please consider the use of a safer end-point client like PGP or GnuPG instead.


This vulnerability was found and researched by Iván Ariel Barrera Oro (@HacKanCuBa), Alfredo Ortega (@ortegaalfredo) and Juliano Rizzo (@julianor), with assistance from Javier Lorenzo Carlos Smaldone (@mis2centavos).

Technical Description – Exploit/Concept Code

While discussing a XSS vulnerability on a website using the Signal-desktop messenger, it was found that the messenger software also displayed a code-injection vulnerability while parsing the affected URLs.

The Signal-desktop software fails to sanitize specific html-encoded HTML tags that can be used to inject HTML code into remote chat windows. Specifically the and

Previous articleGoogle’s bash style guide
Next articleLGTM: a Chrome extension

This site uses Akismet to reduce spam. Learn how your comment data is processed.