平台
go
组件
github.com/alist-org/alist
修复版本
3.57.1
3.57.0
CVE-2026-25160 describes an Insecure TLS Config vulnerability within Alist, a file storage and sharing application. This flaw allows attackers to potentially compromise the confidentiality and integrity of data transmitted over HTTPS connections. The vulnerability impacts versions of Alist released before 3.57.0, and a fix is available in version 3.57.0.
The Insecure TLS Config vulnerability in Alist allows attackers to perform man-in-the-middle (MITM) attacks. By exploiting this weakness, an attacker can intercept and potentially decrypt sensitive data exchanged between clients and the Alist server, including usernames, passwords, and stored files. This could lead to unauthorized access, data theft, and further compromise of the system. The severity is CRITICAL due to the ease of exploitation and the potential for widespread impact, particularly in environments where Alist is used to store sensitive information.
CVE-2026-25160 was publicly disclosed on 2026-02-05. There are currently no publicly available proof-of-concept exploits. The vulnerability's criticality suggests a potential for exploitation if a readily available exploit is developed. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Organizations and individuals using Alist for file storage and sharing, particularly those handling sensitive data, are at significant risk. This includes users who have not regularly updated their Alist installation and those relying on default TLS configurations.
• go / server: Inspect Alist's TLS configuration files for weak cipher suites or outdated protocols. Use openssl sclient -connect <alistserver>:443 to check the negotiated cipher suite.
openssl s_client -connect alist.example.com:443 -tls1_2• generic web: Use online TLS checkers (e.g., SSL Labs) to assess the server's TLS configuration and identify potential weaknesses. • generic web: Monitor access logs for unusual traffic patterns or connections from unexpected IP addresses.
disclosure
漏洞利用状态
EPSS
0.01% (2% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-25160 is to immediately upgrade Alist to version 3.57.0 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as enforcing strict TLS cipher suites on the server and using a Web Application Firewall (WAF) to detect and block suspicious traffic patterns indicative of MITM attacks. Regularly review and update your TLS configuration to ensure it adheres to best practices and industry standards. After upgrading, confirm the TLS configuration is secure by using an online TLS checker tool.
升级Alist到3.57.0版本或更高版本。此版本修复了允许中间人攻击的不安全TLS配置。升级确保TLS证书验证已启用,保护传输过程中存储操作数据的机密性和完整性。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-25160 is a CRITICAL vulnerability in Alist allowing attackers to intercept encrypted traffic. It affects versions before 3.57.0, potentially exposing sensitive data.
You are affected if you are running Alist version 3.57.0 or earlier. Immediately check your version and upgrade to mitigate the risk.
Upgrade Alist to version 3.57.0 or later. If immediate upgrade is not possible, implement temporary workarounds like WAF rules and strict TLS cipher suites.
Currently, there are no publicly known active exploitation campaigns, but the CRITICAL severity suggests a potential for exploitation.
Refer to the Alist project's GitHub repository and release notes for the official advisory and detailed information regarding the fix.
上传你的 go.mod 文件,立即知道是否受影响。