WhatsApp has urged users to update after the instant messaging service fixed a security flaw.
The bug, which goes by the catchy name CVE-2025-30401, affects older versions of WhatsApp Desktop for Windows PCs.
Not updating could place personal data at risk, experts warn.
What is the bug?
The bug makes people’s computers vulnerable to ‘spoofing’, which involves cyber crooks disguising their malware as an attached image file.
Clicking on the image lets the malware slip into the device, allowing hackers to execute code – a script tells gadgets what to do.
The attack, called arbitrary code execution, uses a dodgy program to rip open a device’s backdoor so scammers can steal passwords, turn off security protections and even seize control of the device.
On the WhatsApp desktop version, the instant messaging service displays attachments based on their MIME type – metadata labelling the file type.
But because of the bug, WhatsApp would instead open the file based on its filename extension, the little suffix that labels the file type, like ‘.mp3’ for a music file.
Or ‘.exe’, short for ‘executable’, a set of instructions for a computer. The worry, experts said, is hackers disguising these .exe files that execute attacks as harmless images.
‘A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment’s filename extension,’ the company said in a security advisory.
‘A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp.’
This update has patched out the flaw, so users are advised to update WhatsApp for Windows to version 2.2450.6 or later as soon as possible.
Once the software is fully updated, people’s sensitive data will be secure.
WhatsApp or its parent company Meta did not say the flaw had been exploited in real-life attacks.
CVE-2025-30401 was reported by a researcher to Meta’s bug bounty program.
‘Think of WhatsApp the same way as email,’ Dr Martin Kraemer, security awareness advocate at KnowBe4, told Forbes.
‘You would not want to open an unexpected email attachment, especially not from someone you do not know.
‘You also would not want to forward attachments that pose risks to friends or family. If in doubt, delete the message and file.’
Get in touch with our news team by emailing us at [email protected].
For more stories like this, check our news page.
MORE: WhatsApp users want to get rid of Meta AI — here’s everything we know
MORE: Full list of phones that WhatsApp will no longer work on in May 2025
MORE: Major WhatsApp group chat makeover revealed to stop messages being ignored
