CVE-2025-54792
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-01

Last updated on: 2025-09-03

Assigner: GitHub, Inc.

Description
LocalSend is an open-source app to securely share files and messages with nearby devices over local networks without needing an internet connection. In versions 1.16.1 and below, a critical Man-in-the-Middle (MitM) vulnerability in the software's discovery protocol allows an unauthenticated attacker on the same local network to impersonate legitimate devices, silently intercepting, reading, and modifying any file transfer. This can be used to steal sensitive data or inject malware, like ransomware, into files shared between trusted users. The attack is hardly detectable and easy to implement, posing a severe and immediate security risk. This issue was fixed in version 1.17.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-01
Last Modified
2025-09-03
Generated
2026-05-06
AI Q&A
2025-08-02
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54792
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
localsend localsend to 1.17.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-300 The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a critical Man-in-the-Middle (MitM) flaw in LocalSend's discovery protocol in versions 1.16.1 and below. It allows an unauthenticated attacker on the same local network to impersonate legitimate devices, intercepting, reading, and modifying any file transfer silently. This means the attacker can steal sensitive data or inject malware into files shared between trusted users without detection.


How can this vulnerability impact me? :

The vulnerability can lead to severe security risks including theft of sensitive data and injection of malware such as ransomware into files shared between trusted users. Because the attack is silent and easy to perform, it can compromise the confidentiality and integrity of file transfers on the local network, potentially causing data breaches and system infections.


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade LocalSend to version 1.17.0 or later, where the critical Man-in-the-Middle vulnerability in the discovery protocol has been fixed. Until the upgrade is applied, avoid using LocalSend on untrusted or public local networks to reduce the risk of interception and tampering.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart