CVE-2025-62514
Curve25519 Weak Order Point Vulnerability in Parsec Web Crypto Module
Publication date: 2026-01-29
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parsec.cloud | parsec | From 3.0.0 (inc) to 3.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1240 | To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation. |
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
If you use the Parsec web client versions prior to 3.6.0 with the RustCrypto backend, an attacker positioned as a man-in-the-middle can exploit this vulnerability to intercept and know the shared secret key established between you and the other party. This compromises the confidentiality and integrity of your encrypted communications and file sharing, allowing the attacker to impersonate either party and potentially access or manipulate sensitive data without detection. The attacker can also bypass the SAS code verification, making it appear that the connection is secure when it is not. [5, 4]
Can you explain this vulnerability to me?
This vulnerability exists in the Parsec web application's RustCrypto backend for cryptographic operations. Specifically, the `libparsec_crypto` component does not check for weak order points in Curve25519 public keys during the Diffie-Hellman key exchange. An attacker in a man-in-the-middle position can supply weak order points to both parties, causing them to derive the same shared secret key that the attacker also knows. This allows the attacker to impersonate one party to the other and bypass the Secure Authentication String (SAS) code verification, misleading both parties into believing the communication is secure when it is not. The issue affects only the Parsec web client, as the desktop client uses a different backend that is not vulnerable. The vulnerability was fixed in Parsec version 3.6.0. [5, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability relates to the cryptographic implementation in the RustCrypto backend of libparsec_crypto used by Parsec web clients. Detection involves verifying if your Parsec installation uses the vulnerable RustCrypto backend prior to version 3.6.0. Since the issue is cryptographic and internal to the key exchange, direct network detection commands are not provided. However, you can check the Parsec version and backend in use. For example, check the Parsec version with commands like `parsec --version` or inspect your installed packages. Additionally, reviewing logs or error messages related to shared secret key generation failures might indicate attempts to exploit this vulnerability. There are no specific network commands provided to detect weak order points or MITM attacks exploiting this vulnerability. [5]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade your Parsec web client and libparsec_crypto RustCrypto backend to version 3.6.0 or later, where the issue is patched. The patch adds checks to ensure the shared secret key generated via Diffie-Hellman is contributory and rejects weak order points, preventing the attack. If upgrading is not immediately possible, consider disabling or avoiding the RustCrypto backend and use the libsodium backend instead, as it is not affected. Additionally, monitor for any unusual authentication or key exchange failures that might indicate exploitation attempts. [4, 5]