CVE-2026-25160
📋 TL;DR
Alist file list program versions before 3.57.0 disable TLS certificate verification by default for all outgoing storage communications, making all data transfers vulnerable to Man-in-the-Middle attacks. This allows attackers to intercept, decrypt, steal, and manipulate all data transmitted during storage operations. Any organization using vulnerable Alist versions for file storage across multiple cloud services is affected.
💻 Affected Systems
- Alist
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all data transmitted to/from storage backends, including sensitive files, credentials, and configuration data. Attackers can inject malicious content, exfiltrate all stored data, and potentially gain access to connected storage accounts.
Likely Case
Data interception and theft during transmission, particularly in untrusted networks. Attackers can read all file transfers and potentially inject malicious content into stored files.
If Mitigated
Limited impact if TLS verification is manually enabled or if all communications occur within trusted, isolated networks with additional encryption layers.
🎯 Exploit Status
Exploitation requires network position to intercept traffic (e.g., same network segment, compromised router, or ISP). No authentication or special privileges needed on the Alist server itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.57.0
Vendor Advisory: https://github.com/AlistGo/alist/security/advisories/GHSA-8jmm-3xwx-w974
Restart Required: Yes
Instructions:
1. Backup Alist configuration and data. 2. Stop Alist service. 3. Update to version 3.57.0 or later using your package manager or by downloading from GitHub releases. 4. Restart Alist service. 5. Verify TLS verification is enabled in configuration.
🔧 Temporary Workarounds
Enable TLS certificate verification manually
allManually configure Alist to enable TLS certificate verification in configuration files before patching
Edit Alist configuration file and set 'verify_tls: true' or equivalent setting for your storage drivers
Network segmentation and encryption
allIsolate Alist traffic to trusted networks and implement additional encryption layers
🧯 If You Can't Patch
- Restrict Alist to communicate only over trusted, internal networks with no internet exposure
- Implement network-level TLS inspection or VPN tunnels for all storage communications
🔍 How to Verify
Check if Vulnerable:
Check Alist version: if version is less than 3.57.0, system is vulnerable. Also check configuration for TLS verification settings.Check Version:
alist version (or check version in web interface or configuration files)Verify Fix Applied:
Verify Alist version is 3.57.0 or higher and confirm TLS verification is enabled in configuration.📡 Detection & Monitoring
Log Indicators:
- Failed TLS certificate validations (if logging enabled)
- Unexpected storage connection failures
Network Indicators:
- Unencrypted or improperly encrypted traffic to storage endpoints
- MITM attack patterns in network traffic
SIEM Query:
source="alist" AND (event="storage_connection" OR event="tls_error")