Platform
go
Component
github.com/alist-org/alist
Fixed in
3.57.1
3.57.0
CVE-2026-25160 describes an Insecure TLS Config vulnerability within Alist, a file storage and sharing application. This flaw allows attackers to potentially compromise the confidentiality and integrity of data transmitted over HTTPS connections. The vulnerability impacts versions of Alist released before 3.57.0, and a fix is available in version 3.57.0.
The Insecure TLS Config vulnerability in Alist allows attackers to perform man-in-the-middle (MITM) attacks. By exploiting this weakness, an attacker can intercept and potentially decrypt sensitive data exchanged between clients and the Alist server, including usernames, passwords, and stored files. This could lead to unauthorized access, data theft, and further compromise of the system. The severity is CRITICAL due to the ease of exploitation and the potential for widespread impact, particularly in environments where Alist is used to store sensitive information.
CVE-2026-25160 was publicly disclosed on 2026-02-05. There are currently no publicly available proof-of-concept exploits. The vulnerability's criticality suggests a potential for exploitation if a readily available exploit is developed. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25160 is to immediately upgrade Alist to version 3.57.0 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as enforcing strict TLS cipher suites on the server and using a Web Application Firewall (WAF) to detect and block suspicious traffic patterns indicative of MITM attacks. Regularly review and update your TLS configuration to ensure it adheres to best practices and industry standards. After upgrading, confirm the TLS configuration is secure by using an online TLS checker tool.
Update Alist to version 3.57.0 or higher. This version corrects the insecure TLS configuration that allows Man-in-the-Middle attacks. The update ensures that TLS certificate verification is enabled, protecting the confidentiality and integrity of data transmitted during storage operations.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25160 is a CRITICAL vulnerability in Alist allowing attackers to intercept encrypted traffic. It affects versions before 3.57.0, potentially exposing sensitive data.
You are affected if you are running Alist version 3.57.0 or earlier. Immediately check your version and upgrade to mitigate the risk.
Upgrade Alist to version 3.57.0 or later. If immediate upgrade is not possible, implement temporary workarounds like WAF rules and strict TLS cipher suites.
Currently, there are no publicly known active exploitation campaigns, but the CRITICAL severity suggests a potential for exploitation.
Refer to the Alist project's GitHub repository and release notes for the official advisory and detailed information regarding the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.