PatchSiren cyber security CVE debrief

CVE-2020-25900 HelloTalk CVE debrief

CVE-2020-25900 is a vulnerability in HelloTalk that allows for the storage of full-precision GPS coordinates even when users intend to share only a country or city. These coordinates are then stored in a database on the client-side of other users. Although the client-side was updated in 2019 to encrypt this database, the vulnerability still poses a risk to user privacy. The vulnerability has a CVSS score of 5.3 and a severity rating of MEDIUM. For more information, refer to the official CVE record [cve-org] and the NVD detail page [nvd].

Vendor: HelloTalk
Product: Unknown
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-05
Original CVE updated: 2026-06-05
Advisory published: 2026-06-05
Advisory updated: 2026-06-05

Who should care

Users of HelloTalk, especially those concerned with location privacy, should be aware of this vulnerability. Developers and security teams should also take note of this issue to ensure similar vulnerabilities are addressed in their applications.

Technical summary

The vulnerability involves the storage of full-precision GPS coordinates in HelloTalk, contrary to user intentions. This issue has been documented with a CVSS score of 5.3 and a severity rating of MEDIUM. The Common Weakness Enumeration (CWE) for this vulnerability is CWE-359.

Defensive priority

MEDIUM

Recommended defensive actions

Users should review their location sharing settings and consider updating to the latest version of HelloTalk if available.
Developers should review their applications' location handling and storage practices to prevent similar vulnerabilities.

Evidence notes

Evidence for this CVE comes from official sources including the CVE.org record [cve-org] and the NVD detail page [nvd]. Additional information can be found at [ref-4].

Official resources

CVE-2020-25900 was published on 2026-06-05T15:16:39.230Z and modified on 2026-06-05T16:04:48.437Z.