CVE-2025-55014
BaseFortify
Publication date: 2025-08-04
Last updated on: 2025-11-04
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stardict | stardict | 3.0.7+git20220909+dfsg-6 |
| stardict | stardict-plugin | * |
| stardict | youdao_plugin | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-402 | The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-55014 is a privacy and security vulnerability in the StarDict dictionary application, specifically involving the YouDao plugin. When a user selects text in any application under X11, the YouDao plugin automatically sends the selected text to external servers (dict.youdao.com and dict.cn) via unencrypted HTTP requests without user consent or notification. This means that any text you select, including potentially sensitive information, is transmitted over the network in cleartext to these external Chinese dictionary servers. This behavior is enabled by default and occurs immediately upon text selection, posing a significant privacy risk. [3, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by exposing any text you select on your computer to external servers without your knowledge or consent. Since the data is sent unencrypted over HTTP, it can be intercepted by network observers, potentially revealing sensitive or confidential information such as passwords, private messages, or other personal data. This unauthorized data transmission compromises your privacy and security. Additionally, the automatic nature of this behavior means you might not be aware that your selections are being sent externally. [3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for unencrypted HTTP GET requests sent to dict.youdao.com or dict.cn servers containing user-selected text. On a system running StarDict under X11, you can use network monitoring tools like tcpdump or Wireshark to capture and filter HTTP traffic to these domains. Additionally, using strace on the StarDict process can reveal HTTP requests being made with the selected text as query parameters. For example, running `strace -e trace=network -p <stardict_pid>` can show outgoing network calls. Network capture commands such as `tcpdump -i <interface> -A host dict.youdao.com or host dict.cn and port 80` can help detect the unencrypted data transmission. [3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include adjusting StarDict settings to limit or disable the problematic behavior. Specifically, enable the option "Only scan while the modifier key is being pressed" under "Scan Selection" to restrict automatic scanning of selections. Alternatively, disable the network dictionary plugins such as the YouDao and dict.cn plugins entirely to prevent any data from being sent externally. Using Wayland instead of X11 can also mitigate the issue, as Wayland sandboxes applications and prevents StarDict from accessing text selections from other applications by default. [1]