VYPR
High severity8.0OSV Advisory· Published Jun 25, 2025· Updated Apr 15, 2026

CVE-2025-41255

CVE-2025-41255

Description

Cyberduck and Mountain Duck improperly handle TLS certificate pinning for untrusted certificates (e.g., self-signed), unnecessarily installing it to the Windows Certificate Store of the current user without any restrictions.

This issue affects Cyberduck through 9.1.6 and Mountain Duck through 4.17.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Iterate Ch/CyberduckOSV2 versions
    $TAG_NAME, release-3-3, release-3-3-1, …+ 1 more
    • (no CPE)range: $TAG_NAME, release-3-3, release-3-3-1, …
    • (no CPE)range: <=9.1.6
  • Range: <=4.17.5

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.