CVE-2020-25900

MEDIUM 5.3

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

HelloTalk through 3.4.1 stores full-precision GPS coordinates even when the user had intended to share only a country or city. Furthermore, these coordinates are placed into a database on the client of other users. (The client side was changed in 2019 to encrypt that database.)

CWE	CWE-359
Vendor	hellotalk
Product	hellotalk
Published	Jun 5, 2026
Last Updated	Jun 5, 2026

Stay Ahead of the Next One

Get instant alerts for hellotalk hellotalk

Be the first to know when new medium vulnerabilities affecting hellotalk hellotalk are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

HelloTalk / HelloTalk

0 ≤ 3.4.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

isopach.dev: https://isopach.dev/CVE-2020-25900/