Plattform
go
Komponente
github.com/alist-org/alist
Behoben in
3.57.1
3.57.0
CVE-2026-25160 describes an Insecure TLS Config vulnerability within Alist, a file storage and sharing application. This flaw allows attackers to potentially compromise the confidentiality and integrity of data transmitted over HTTPS connections. The vulnerability impacts versions of Alist released before 3.57.0, and a fix is available in version 3.57.0.
The Insecure TLS Config vulnerability in Alist allows attackers to perform man-in-the-middle (MITM) attacks. By exploiting this weakness, an attacker can intercept and potentially decrypt sensitive data exchanged between clients and the Alist server, including usernames, passwords, and stored files. This could lead to unauthorized access, data theft, and further compromise of the system. The severity is CRITICAL due to the ease of exploitation and the potential for widespread impact, particularly in environments where Alist is used to store sensitive information.
CVE-2026-25160 was publicly disclosed on 2026-02-05. There are currently no publicly available proof-of-concept exploits. The vulnerability's criticality suggests a potential for exploitation if a readily available exploit is developed. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Organizations and individuals using Alist for file storage and sharing, particularly those handling sensitive data, are at significant risk. This includes users who have not regularly updated their Alist installation and those relying on default TLS configurations.
• go / server: Inspect Alist's TLS configuration files for weak cipher suites or outdated protocols. Use openssl sclient -connect <alistserver>:443 to check the negotiated cipher suite.
openssl s_client -connect alist.example.com:443 -tls1_2• generic web: Use online TLS checkers (e.g., SSL Labs) to assess the server's TLS configuration and identify potential weaknesses. • generic web: Monitor access logs for unusual traffic patterns or connections from unexpected IP addresses.
disclosure
Exploit-Status
EPSS
0.01% (2% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-25160 is to immediately upgrade Alist to version 3.57.0 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as enforcing strict TLS cipher suites on the server and using a Web Application Firewall (WAF) to detect and block suspicious traffic patterns indicative of MITM attacks. Regularly review and update your TLS configuration to ensure it adheres to best practices and industry standards. After upgrading, confirm the TLS configuration is secure by using an online TLS checker tool.
Aktualisieren Sie Alist auf Version 3.57.0 oder höher. Diese Version behebt die unsichere TLS-Konfiguration, die Man-in-the-Middle-Angriffe ermöglicht. Das Update stellt sicher, dass die Zertifikatsüberprüfung von TLS aktiviert ist, wodurch die Vertraulichkeit und Integrität der während der Speicheroperationen übertragenen Daten geschützt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25160 is a CRITICAL vulnerability in Alist allowing attackers to intercept encrypted traffic. It affects versions before 3.57.0, potentially exposing sensitive data.
You are affected if you are running Alist version 3.57.0 or earlier. Immediately check your version and upgrade to mitigate the risk.
Upgrade Alist to version 3.57.0 or later. If immediate upgrade is not possible, implement temporary workarounds like WAF rules and strict TLS cipher suites.
Currently, there are no publicly known active exploitation campaigns, but the CRITICAL severity suggests a potential for exploitation.
Refer to the Alist project's GitHub repository and release notes for the official advisory and detailed information regarding the fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.