CVE-2025-54792

Aug. 1, 2025, 11:15 p.m.

9.3
Critical

Description

LocalSend is an open-source app to securely share files and messages with nearby devices over local networks without needing an internet connection. In versions 1.16.1 and below, a critical Man-in-the-Middle (MitM) vulnerability in the software's discovery protocol allows an unauthenticated attacker on the same local network to impersonate legitimate devices, silently intercepting, reading, and modifying any file transfer. This can be used to steal sensitive data or inject malware, like ransomware, into files shared between trusted users. The attack is hardly detectable and easy to implement, posing a severe and immediate security risk. This issue was fixed in version 1.17.0.

Product(s) Impacted

Vendor Product Versions
Localsend
  • Localsend
  • 1.16.1, <1.17.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-300
Channel Accessible by Non-Endpoint
The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a localsend localsend 1.16.1 / / / / / / /
a localsend localsend <1.17.0 / / / / / / /

References

https://github.com/localsend/localsend/commit/e8635204ec782ded45bc7d698deb60f3c4105687
https://github.com/localsend/localsend/releases/tag/v1.17.0
https://github.com/localsend/localsend/security/advisories/GHSA-424h-5f6m-x63f

Tags

security-advisories@github.com
CWE-300
2025-08-01
CVE-2025-54792

CVSS Score

9.3 / 10

CVSS Data - 4.0

  • Attack Vector: ADJACENT
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: PASSIVE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Aug. 1, 2025, 11:15 p.m.
Last Modified: Aug. 1, 2025, 11:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.