CVE-2025-29331

Name of the Vulnerable Software and Affected Versions: 3X-UI versions prior to 2.5.3

Description: The issue allows a remote attacker to execute arbitrary code via the management script. This is possible because the x-ui passes the no check certificate option to wget when downloading updates, which means it does not verify certificates when downloading menu updates.

Recommendations: For versions prior to 2.5.3, update to version 2.5.3 or later to resolve the issue. As a temporary workaround, consider disabling the automatic update feature in the management script until a patch is available. Restrict access to the wget command with the no check certificate option to minimize the risk of exploitation. Avoid using the x-ui management script for downloading updates until the issue is resolved.