CVE-2025-62514

Name of the Vulnerable Software and Affected Versions Parsec versions prior to 3.6.0

Description Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, the libparsec crypto component does not check for weak order points of Curve25519 when compiled with its RustCrypto backend. This allows an attacker in a man-in-the-middle position to provide weak order points to both parties during the Diffie-Hellman exchange. This can result in both parties obtaining the same shared key, enabling a successful SAS code exchange and misleading both parties into believing no MITM attack has occurred. Only Parsec web is impacted. The vulnerable component is libparsec crypto.

Recommendations Update to Parsec version 3.6.0 or later.