Home > Vulnerability Database > CVE-2025-62514

Mend.io Vulnerability Database

CVE-2025-62514

Good to know:

Date: January 29, 2026

Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, "libparsec_crypto", a component of the Parsec application, does not check for weak order point of Curve25519 when compiled with its RustCrypto backend. In practice this means an attacker in a man-in-the-middle position would be able to provide weak order points to both parties in the Diffie-Hellman exchange, resulting in a high probability to for both parties to obtain the same shared key (hence leading to a successful SAS code exchange, misleading both parties into thinking no MITM has occurred) which is also known by the attacker. Note only Parsec web is impacted (as Parsec desktop uses "libparsec_crypto" with the libsodium backend). Version 3.6.0 of Parsec patches the issue.

Severity Score

8.3

Related Resources (7)

Url: https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/x25519-dalek/src/x25519.rs#L364-L366

Url: https://github.com/Scille/parsec-cloud/security/advisories/GHSA-hrc9-gm58-pgj9

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-62514

Url: https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/curve25519-dalek/src/montgomery.rs#L132-L146

Url: https://github.com/Scille/parsec-cloud/blob/e7c5cdbc4234f606ccf3ab2be7e9edc22db16feb/libparsec/crates/crypto/src/rustcrypto/private.rs#L136-L138

Url: https://github.com/Scille/parsec-cloud/commit/197bb6387b49fec872b5e4a04dcdb82b3d2995b2

Url: https://www.mend.io/vulnerability-database/CVE-2025-62514

Severity Score

8.3

Weakness Type (CWE)

Use of a Broken or Risky Cryptographic Algorithm

CWE-327

Use of a Cryptographic Primitive with a Risky Implementation

CWE-1240

Top Fix

Upgrade Version

Upgrade to version https://github.com/Scille/parsec-cloud.git - v3.6.0

Learn More

CVSS v3.1

Base Score:	8.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-62514

Good to know:

Date: January 29, 2026

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?