CVE-2025-41256 | THREATINT

Description

Cyberduck and Mountain Duck improper handle TLS certificate pinning for untrusted certificates (e.g., self-signed), since the certificate fingerprint is stored as SHA-1, although SHA-1 is considered weak. This issue affects Cyberduck: through 9.1.6; Mountain Duck: through 4.17.5.

PUBLISHED Reserved 2025-04-16 | Published 2025-06-25 | Updated 2025-06-25 | Assigner sba-research

HIGH: 7.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-328: Use of Weak Hash

Product status

Default status

unaffected

Any version

affected

Default status

unaffected

Any version

affected

Credits

Thomas Kostal finder

Andreas Boll finder

References

github.com/...-20250325-02_Cyberduck_Mountain_Duck_Weak_Hash exploit

github.com/...erduck/security/advisories/GHSA-688c-vjrc-84rv exploit

github.com/...-20250325-02_Cyberduck_Mountain_Duck_Weak_Hash third-party-advisory

github.com/...erduck/security/advisories/GHSA-688c-vjrc-84rv vendor-advisory

cve.org (CVE-2025-41256)

nvd.nist.gov (CVE-2025-41256)

Download JSON

help @ threatint.eu