CVE-2025-54792
MEDIUMLocalSend < 1.17.0 - Unauthenticated Man-in-the-Middle via Discovery Protocol
Title source: llmDescription
LocalSend is an open-source app to securely share files and messages with nearby devices over local networks without needing an internet connection. In versions 1.16.1 and below, a critical Man-in-the-Middle (MitM) vulnerability in the software's discovery protocol allows an unauthenticated attacker on the same local network to impersonate legitimate devices, silently intercepting, reading, and modifying any file transfer. This can be used to steal sensitive data or inject malware, like ransomware, into files shared between trusted users. The attack is hardly detectable and easy to implement, posing a severe and immediate security risk. This issue was fixed in version 1.17.0.
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/localsend/localsend/security/advisories/GHSA-424h-5f6m-x63f
Patch x_refsource_misc
https://github.com/localsend/localsend/commit/e8635204ec782ded45bc7d698deb60f3c4105687
Release Notes x_refsource_misc
https://github.com/localsend/localsend/releases/tag/v1.17.0
Scores
CVSS v3
6.8
EPSS
0.0024
EPSS Percentile
15.3%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-300
CWE-345
Status
published
Products (1)
localsend/localsend
< 1.17.0
Published
Aug 01, 2025
Tracked Since
Feb 18, 2026