CVE-2025-62514
Unknown Unknown - Not Provided
Curve25519 Weak Order Point Vulnerability in Parsec Web Crypto Module

Publication date: 2026-01-29

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, `libparsec_crypto`, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled with its RustCrypto backend. In practice this means an attacker in a man-in-the-middle position would be able to provide weak order points to both parties in the Diffie-Hellman exchange, resulting in a high probability to for both parties to obtain the same shared key (hence leading to a successful SAS code exchange, misleading both parties into thinking no MITM has occurred) which is also known by the attacker. Note only Parsec web is impacted (as Parsec desktop uses `libparsec_crypto` with the libsodium backend). Version 3.6.0 of Parsec patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62514
EUVD
EUVD-2025-206513
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
parsec.cloud parsec From 3.0.0 (inc) to 3.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1240 To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

If you use the Parsec web client versions prior to 3.6.0 with the RustCrypto backend, an attacker positioned as a man-in-the-middle can exploit this vulnerability to intercept and know the shared secret key established between you and the other party. This compromises the confidentiality and integrity of your encrypted communications and file sharing, allowing the attacker to impersonate either party and potentially access or manipulate sensitive data without detection. The attacker can also bypass the SAS code verification, making it appear that the connection is secure when it is not. [5, 4]

Executive Summary

This vulnerability exists in the Parsec web application's RustCrypto backend for cryptographic operations. Specifically, the `libparsec_crypto` component does not check for weak order points in Curve25519 public keys during the Diffie-Hellman key exchange. An attacker in a man-in-the-middle position can supply weak order points to both parties, causing them to derive the same shared secret key that the attacker also knows. This allows the attacker to impersonate one party to the other and bypass the Secure Authentication String (SAS) code verification, misleading both parties into believing the communication is secure when it is not. The issue affects only the Parsec web client, as the desktop client uses a different backend that is not vulnerable. The vulnerability was fixed in Parsec version 3.6.0. [5, 4]

Detection Guidance

This vulnerability relates to the cryptographic implementation in the RustCrypto backend of libparsec_crypto used by Parsec web clients. Detection involves verifying if your Parsec installation uses the vulnerable RustCrypto backend prior to version 3.6.0. Since the issue is cryptographic and internal to the key exchange, direct network detection commands are not provided. However, you can check the Parsec version and backend in use. For example, check the Parsec version with commands like `parsec --version` or inspect your installed packages. Additionally, reviewing logs or error messages related to shared secret key generation failures might indicate attempts to exploit this vulnerability. There are no specific network commands provided to detect weak order points or MITM attacks exploiting this vulnerability. [5]

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade your Parsec web client and libparsec_crypto RustCrypto backend to version 3.6.0 or later, where the issue is patched. The patch adds checks to ensure the shared secret key generated via Diffie-Hellman is contributory and rejects weak order points, preventing the attack. If upgrading is not immediately possible, consider disabling or avoiding the RustCrypto backend and use the libsodium backend instead, as it is not affected. Additionally, monitor for any unusual authentication or key exchange failures that might indicate exploitation attempts. [4, 5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62514. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart