CVE-2025-62514 (GCVE-0-2025-62514)
Vulnerability from cvelistv5 – Published: 2026-01-29 15:46 – Updated: 2026-01-29 21:29
VLAI?
Title
`libparsec_crypto` does not check for weak order point of curve 25519
Summary
Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, `libparsec_crypto`, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled with its RustCrypto backend. In practice this means an attacker in a man-in-the-middle position would be able to provide weak order points to both parties in the Diffie-Hellman exchange, resulting in a high probability to for both parties to obtain the same shared key (hence leading to a successful SAS code exchange, misleading both parties into thinking no MITM has occurred) which is also known by the attacker. Note only Parsec web is impacted (as Parsec desktop uses `libparsec_crypto` with the libsodium backend). Version 3.6.0 of Parsec patches the issue.
Severity ?
8.3 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Scille | parsec-cloud |
Affected:
>= 3.0.0-alpha, < 3.6.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62514",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T21:28:52.658721Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T21:29:03.456Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parsec-cloud",
"vendor": "Scille",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0-alpha, \u003c 3.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, `libparsec_crypto`, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled with its RustCrypto backend. In practice this means an attacker in a man-in-the-middle position would be able to provide weak order points to both parties in the Diffie-Hellman exchange, resulting in a high probability to for both parties to obtain the same shared key (hence leading to a successful SAS code exchange, misleading both parties into thinking no MITM has occurred) which is also known by the attacker. Note only Parsec web is impacted (as Parsec desktop uses `libparsec_crypto` with the libsodium backend). Version 3.6.0 of Parsec patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1240",
"description": "CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T15:46:50.922Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Scille/parsec-cloud/security/advisories/GHSA-hrc9-gm58-pgj9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Scille/parsec-cloud/security/advisories/GHSA-hrc9-gm58-pgj9"
},
{
"name": "https://github.com/Scille/parsec-cloud/commit/197bb6387b49fec872b5e4a04dcdb82b3d2995b2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Scille/parsec-cloud/commit/197bb6387b49fec872b5e4a04dcdb82b3d2995b2"
},
{
"name": "https://github.com/Scille/parsec-cloud/blob/e7c5cdbc4234f606ccf3ab2be7e9edc22db16feb/libparsec/crates/crypto/src/rustcrypto/private.rs#L136-L138",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Scille/parsec-cloud/blob/e7c5cdbc4234f606ccf3ab2be7e9edc22db16feb/libparsec/crates/crypto/src/rustcrypto/private.rs#L136-L138"
},
{
"name": "https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/curve25519-dalek/src/montgomery.rs#L132-L146",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/curve25519-dalek/src/montgomery.rs#L132-L146"
},
{
"name": "https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/x25519-dalek/src/x25519.rs#L364-L366",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/x25519-dalek/src/x25519.rs#L364-L366"
}
],
"source": {
"advisory": "GHSA-hrc9-gm58-pgj9",
"discovery": "UNKNOWN"
},
"title": "`libparsec_crypto` does not check for weak order point of curve 25519"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62514",
"datePublished": "2026-01-29T15:46:50.922Z",
"dateReserved": "2025-10-15T15:03:28.134Z",
"dateUpdated": "2026-01-29T21:29:03.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-62514",
"date": "2026-04-23",
"epss": "0.00021",
"percentile": "0.05866"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-62514\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-29T16:16:09.387\",\"lastModified\":\"2026-03-02T18:34:13.947\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, `libparsec_crypto`, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled with its RustCrypto backend. In practice this means an attacker in a man-in-the-middle position would be able to provide weak order points to both parties in the Diffie-Hellman exchange, resulting in a high probability to for both parties to obtain the same shared key (hence leading to a successful SAS code exchange, misleading both parties into thinking no MITM has occurred) which is also known by the attacker. Note only Parsec web is impacted (as Parsec desktop uses `libparsec_crypto` with the libsodium backend). Version 3.6.0 of Parsec patches the issue.\"},{\"lang\":\"es\",\"value\":\"Parsec es una aplicaci\u00f3n basada en la nube para el intercambio de archivos criptogr\u00e1ficamente seguro. En versiones de la rama 3.x anteriores a la 3.6.0, \u0027libparsec_crypto\u0027, un componente de la aplicaci\u00f3n Parsec, no verifica los puntos de orden d\u00e9bil de Curve25519 cuando se compila con su backend RustCrypto. En la pr\u00e1ctica, esto significa que un atacante en una posici\u00f3n de man-in-the-middle podr\u00eda proporcionar puntos de orden d\u00e9bil a ambas partes en el intercambio Diffie-Hellman, lo que resultar\u00eda en una alta probabilidad de que ambas partes obtengan la misma clave compartida (lo que llevar\u00eda a un intercambio exitoso de c\u00f3digo SAS, enga\u00f1ando a ambas partes para que piensen que no ha ocurrido ning\u00fan MitM) y que tambi\u00e9n es conocida por el atacante. Tenga en cuenta que solo Parsec web se ve afectado (ya que Parsec desktop utiliza \u0027libparsec_crypto\u0027 con el backend libsodium). La versi\u00f3n 3.6.0 de Parsec corrige el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":5.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.6,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-327\"},{\"lang\":\"en\",\"value\":\"CWE-1240\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parsec.cloud:parsec:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.6.0\",\"matchCriteriaId\":\"9D49E3B8-67B7-4237-8154-4131F8001A75\"}]}]}],\"references\":[{\"url\":\"https://github.com/Scille/parsec-cloud/blob/e7c5cdbc4234f606ccf3ab2be7e9edc22db16feb/libparsec/crates/crypto/src/rustcrypto/private.rs#L136-L138\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Scille/parsec-cloud/commit/197bb6387b49fec872b5e4a04dcdb82b3d2995b2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Scille/parsec-cloud/security/advisories/GHSA-hrc9-gm58-pgj9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/curve25519-dalek/src/montgomery.rs#L132-L146\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/x25519-dalek/src/x25519.rs#L364-L366\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-62514\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-29T21:28:52.658721Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-29T21:28:58.803Z\"}}], \"cna\": {\"title\": \"`libparsec_crypto` does not check for weak order point of curve 25519\", \"source\": {\"advisory\": \"GHSA-hrc9-gm58-pgj9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Scille\", \"product\": \"parsec-cloud\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.0.0-alpha, \u003c 3.6.0\"}]}], \"references\": [{\"url\": \"https://github.com/Scille/parsec-cloud/security/advisories/GHSA-hrc9-gm58-pgj9\", \"name\": \"https://github.com/Scille/parsec-cloud/security/advisories/GHSA-hrc9-gm58-pgj9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Scille/parsec-cloud/commit/197bb6387b49fec872b5e4a04dcdb82b3d2995b2\", \"name\": \"https://github.com/Scille/parsec-cloud/commit/197bb6387b49fec872b5e4a04dcdb82b3d2995b2\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/Scille/parsec-cloud/blob/e7c5cdbc4234f606ccf3ab2be7e9edc22db16feb/libparsec/crates/crypto/src/rustcrypto/private.rs#L136-L138\", \"name\": \"https://github.com/Scille/parsec-cloud/blob/e7c5cdbc4234f606ccf3ab2be7e9edc22db16feb/libparsec/crates/crypto/src/rustcrypto/private.rs#L136-L138\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/curve25519-dalek/src/montgomery.rs#L132-L146\", \"name\": \"https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/curve25519-dalek/src/montgomery.rs#L132-L146\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/x25519-dalek/src/x25519.rs#L364-L366\", \"name\": \"https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/x25519-dalek/src/x25519.rs#L364-L366\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, `libparsec_crypto`, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled with its RustCrypto backend. In practice this means an attacker in a man-in-the-middle position would be able to provide weak order points to both parties in the Diffie-Hellman exchange, resulting in a high probability to for both parties to obtain the same shared key (hence leading to a successful SAS code exchange, misleading both parties into thinking no MITM has occurred) which is also known by the attacker. Note only Parsec web is impacted (as Parsec desktop uses `libparsec_crypto` with the libsodium backend). Version 3.6.0 of Parsec patches the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-327\", \"description\": \"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1240\", \"description\": \"CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-29T15:46:50.922Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-62514\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-29T21:29:03.456Z\", \"dateReserved\": \"2025-10-15T15:03:28.134Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-29T15:46:50.922Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…