CVE-2025-49846: 
Wire vulnerability analysis and mitigation

CVE-2025-49846 affects the iOS client of Wire secure messaging application (wire-ios) from versions 3.111.1 to before 3.124.1. The vulnerability was discovered in July 2025 and involves messages visible in the viewport being inadvertently logged to iOS system logs in clear text. This security issue affects the iOS system logs but does not impact Wire application's own logging system (GitHub Advisory).

The vulnerability occurs when the application calls canOpenUrl() function with an invalid URL object, causing iOS to log the message contents to the system log when the URL check fails. This behavior is undocumented in iOS. The vulnerability has been assigned a CVSS v4.0 base score of 4.1 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The issue is classified under CWE-532 (Insertion of Sensitive Information into Log File) and CWE-117 (Improper Output Neutralization for Logs) (GitHub Advisory).

The vulnerability exposes message contents in clear text within iOS system logs. However, accessing these logs requires physical access to an unlocked device. Wire application's own logs, including those that users can export and send to Wire support, remain unaffected by this vulnerability (GitHub Advisory).

Wire has released an emergency fix in version 3.124.1, available on the App Store. As Wire cannot access or modify iOS system logs, the only workaround for affected users is to reset their iOS device to remove the offending logs (Wire Release, GitHub Advisory).