What is the CVSS score of CVE-2025-62514?

CVE-2025-62514 has a CVSS 3.1 base score of 8.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Parsec are affected by CVE-2025-62514?

Parsec versions 3.x prior to 3.6.0 contain a cryptographic vulnerability that could allow attackers positioned between users and the service to decrypt file-sharing communications.. A patch is available.

Is there a public PoC exploit available for CVE-2025-62514?

Yes, a public proof-of-concept exploit is available for CVE-2025-62514. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-62514?

Within 24 hours: Identify all systems running Parsec 3.x versions prior to 3.6.0 and classify by user count and data sensitivity. Within 7 days: Apply patch to version 3.6.0 or later on all identified systems, prioritizing production environments and users handling classified or regulated data. Within 30 days: Conduct post-patch verification and review file-sharing logs from the vulnerability window for indicators of compromise.

Parsec CVE-2025-62514

HIGH

Use of a Broken or Risky Cryptographic Algorithm (CWE-327)

2026-01-29 security-advisories@github.com

Information Disclosure Parsec

8.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.3 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:00 vuln.today

PoC Detected

Mar 02, 2026 - 18:34 vuln.today

Public exploit code

Patch released

Mar 02, 2026 - 18:34 nvd

Patch available

CVE Published

Jan 29, 2026 - 16:16 nvd

HIGH 8.3

DescriptionGitHub Advisory

Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, libparsec_crypto, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled with its RustCrypto backend. In practice this means an attacker in a man-in-the-middle position would be able to provide weak order points to both parties in the Diffie-Hellman exchange, resulting in a high probability to for both parties to obtain the same shared key (hence leading to a successful SAS code exchange, misleading both parties into thinking no MITM has occurred) which is also known by the attacker. Note only Parsec web is impacted (as Parsec desktop uses libparsec_crypto with the libsodium backend). Version 3.6.0 of Parsec patches the issue.

AnalysisAI

Technical ContextAI

This vulnerability (CWE-327: Use of a Broken or Risky Cryptographic Algorithm) affects Parsec. Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, libparsec_crypto, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled with its RustCrypto backend. In practice this means an attacker in a man-in-the-middle position would be able to provide weak order points to both parties in the Diffie-Hellman exchange, resulting in a high probability to for both parties to obtain the

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

CVE-2025-62514 vulnerability details – vuln.today

Back