CVE-2026-25160 in alist
Summary
by MITRE • 02/04/2026
Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle (MitM) attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations, severely compromising the confidentiality and integrity of user data. This issue has been patched in version 3.57.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability described in CVE-2026-25160 represents a critical security flaw in the Alist file management application that operates as a multi-storage file list program utilizing the Gin web framework and Solidjs frontend technology. This issue affects versions prior to 3.57.0 and stems from the application's default configuration that disables TLS certificate verification for all outgoing communications with storage drivers. The fundamental technical flaw lies in the application's failure to validate the authenticity of TLS certificates when establishing connections to remote storage services, creating an inherent trust model that leaves the system exposed to malicious actors who can intercept and manipulate network traffic without detection.
The operational impact of this vulnerability is severe and multifaceted, as it enables comprehensive man-in-the-middle attacks that compromise the confidentiality, integrity, and availability of user data. When TLS certificate verification is disabled, attackers can perform successful MitM attacks by presenting fake certificates to the application, allowing them to decrypt, steal, and manipulate all data transmitted between Alist and storage services. This includes sensitive authentication credentials, file contents, metadata, and operational parameters that flow through the system during storage operations. The vulnerability affects all storage driver communications regardless of the underlying storage protocol or service type, making it particularly dangerous for organizations relying on Alist for managing critical data across multiple storage backends. The implications extend beyond simple data theft to include potential system compromise through manipulation of storage operations and unauthorized access to sensitive information.
The security implications of this vulnerability align with CWE-295, which specifically addresses "Improper Certificate Validation," and can be mapped to ATT&CK technique T1566.001 for credential access through phishing and T1041 for data compression and encryption. Organizations using affected versions of Alist face significant risk of data breaches and unauthorized access to their storage infrastructure. The vulnerability represents a failure in secure communication implementation that violates fundamental security principles of network security and data protection. System administrators and security teams should prioritize immediate remediation by upgrading to version 3.57.0 or later, which implements proper TLS certificate verification mechanisms. Additional mitigations include implementing network monitoring to detect unusual traffic patterns, conducting security audits of storage configurations, and ensuring that all storage drivers are properly configured with valid certificates. The patch addresses the root cause by re-enabling TLS certificate validation, thereby restoring the intended security posture and protecting against the specific threat vector of man-in-the-middle attacks targeting storage communications.