CVE-2025-34324

Name of the Vulnerable Software and Affected Versions GoSign Desktop versions 2.4.0 and earlier

Description GoSign Desktop versions 2.4.0 and earlier utilize an unsigned update manifest for application updates. This manifest includes package URLs and SHA-256 hashes, but lacks digital signing, relying on the TLS channel for authenticity. When TLS certificate validation is disabled through proxy configuration, an attacker intercepting network traffic can provide a malicious update manifest and package with a matching hash. This can lead to the download and installation of a compromised update, potentially resulting in arbitrary code execution with the privileges of the GoSign Desktop user on Windows and macOS, or with elevated privileges on certain Linux deployments. A local attacker modifying proxy settings can also exploit this to escalate privileges by installing a crafted update.

Recommendations Update GoSign Desktop to a version later than 2.4.0.