The Undead Session: Explaining the Race Condition in Hotwired Turbo

Hotwired Turbo (formerly Turbolinks) is the darling of the Ruby on Rails world. It promises the snappy feel of a Single Page Application (SPA) without the crushing complexity of React or Vue state management. It does this by intercepting links and form submissions, fetching HTML in the background, and swapping out the body <body> or specific <turbo-frame> elements.

But here's the thing about doing everything in the background: asynchronicity is hard. When you fire off a dozen requests to populate different frames on a dashboard, you lose the linear guarantee of a traditional page load. You are effectively throwing packets at the server and hoping they come back in an order that makes sense.

CVE-2025-66803 describes a scenario where that hope dies. It's a classic race condition, but it's not happening in your database or your threads—it's happening between your user's mouse click and the browser's network stack. It turns out, making things feel "fast" can sometimes make security remarkably loose.

To understand this vulnerability, you have to understand a fundamental behavior of web browsers that most developers ignore: The Network Stack and the DOM are decoupled.

When a JavaScript application (like Turbo) initiates a fetch() request, the browser handles the networking. If the server responds with HTTP headers, the browser processes them immediately. Crucially, if the response includes a Set-Cookie header, the browser updates its cookie jar before the JavaScript runtime even gets a chance to look at the response body or decide if it still cares about the data.

In the context of Turbo, imagine a <turbo-frame> requesting a slow widget. While that request is hanging in limbo, the user clicks "Logout". The application processes the logout, the server destroys the session, and the browser clears the cookie. Clean and secure, right?

Wrong. That slow widget request is still alive. A second later, it finally completes. The server, which processed that request before the session was destroyed (or concurrently), sends back a 200 OK with the Set-Cookie header containing the old, valid session ID. The browser, being a helpful idiot, sees the cookie and dutifully writes it back into the jar. The zombie session is born.

The fix for this is elegant but highlights exactly what was missing. The FrameController class in Turbo manages the lifecycle of frame elements. In versions prior to 8.0.21, when a frame was removed from the DOM (disconnected)—for example, when the page body was replaced during a logout redirect—the pending fetch request was simply orphaned.

The patch introduces the AbortController API to explicitly kill these requests. By calling .cancel(), Turbo signals the browser to sever the connection immediately, preventing the processing of late response headers.

Here is the critical diff in src/core/frames/frame_controller.js:

// BEFORE: The disconnect method didn't clean up network traffic
disconnect() {
  // ... code removing event listeners ...
}
 
// AFTER: Explicitly cancelling the fetch request
disconnect() {
  // ... 
  if (!this.element.hasAttribute("recurse")) {
    this.#currentFetchRequest?.cancel() // <--- The Kill Switch
  }
}
 
// Managing the loading state
sourceURLChanged() {
   if (this.#isIgnoringChangesTo("src")) return
 
   if (!this.sourceURL) {
     this.#currentFetchRequest?.cancel() // <--- Stop fetching if src is cleared
   }
   // ...
}

This .cancel() method bubbles down to trigger AbortController.abort(). This is the digital equivalent of hanging up the phone before the telemarketer (or in this case, the server) can finish their sentence.

Let's construct a realistic attack scenario. This works best against users on slow connections or applications with heavy server-side processing.

The Setup:

1. Target: A Rails app using CookieStore (client-side session storage) and Turbo.
2. Victim: Logged in on a public terminal or shared computer.
3. Vulnerable Element: A dashboard with a generic <turbo-frame id="notifications" src="/notifications/recent"> that loads automatically.

The Attack Chain:

1. The victim visits the dashboard. The notifications frame initiates a fetch request.
2. Lag: The network is slow, or the /notifications/recent endpoint takes 2 seconds to query the database.
3. Action: The victim clicks "Sign Out" immediately. The app redirects to the landing page. The session cookie is cleared by the logout response.
4. The Race: The victim walks away.
5. The Event: 500ms later, the /notifications/recent response arrives. It was generated while the user was still logged in, so it contains the Set-Cookie header with the valid encrypted session string.
6. Restoration: The browser re-saves the session cookie.
7. Access: The attacker walks up to the computer, hits "Back" or refreshes the page, and is fully authenticated as the victim.

[!WARNING] This is particularly dangerous because from the user's perspective, the UI confirmed they were logged out. The betrayal happens entirely invisibly in the background.

If you are running @hotwired/turbo below version 8.0.21, you are vulnerable. The primary mitigation is obviously to upgrade.

However, this vulnerability also serves as a stark reminder of why Server-Side Sessions are superior to Client-Side Cookie Stores (like Rails' default).

If you use a server-side store (Redis, Memcached, Database):

1. When the user logs out, you delete the Session ID from Redis.
2. Even if the race condition occurs and the browser restores the old Session ID cookie, that ID is now invalid on the server.
3. The next request will fail authentication.

If you stick with stateless cookie sessions (JWTs or encrypted cookies), you are trusting the client to hold the state. If the client (browser) gets confused, your security model collapses. Upgrade Turbo, but also consider architecting your auth system to not trust the browser quite so much.