A critical security misconfiguration in Alist disables TLS verification by default, allowing attackers to intercept, decrypt, and manipulate sensitive data via Man-in-the-Middle attacks.

The application is configured to bypass TLS certificate verification for all outgoing storage driver communications by default. This allows a network-adjacent or positioned attacker to perform a Man-in-the-Middle (MitM) attack, compromising the integrity and confidentiality of data without requiring authentication.

The impact is severe (CVSS 9.1), as it permits the complete decryption and manipulation of user data transmitted to various storage providers. This could lead to the theft of sensitive credentials, unauthorized access to cloud storage, and large-scale data breaches, resulting in significant regulatory and legal liabilities.

Immediate Action: Upgrade Alist to version 3.57.0 or later, which enables TLS certificate verification by default for all storage drivers.

Proactive Monitoring: Inspect network traffic for unusual certificates or intercepted connections and review Alist logs for storage connection errors.

Compensating Controls: Ensure that Alist is deployed within a secure, encrypted network segment and use VPNs or dedicated tunnels for storage traffic where possible.

Public Exploit Available: false

Disabling TLS verification is a catastrophic failure of transport security. It is imperative that administrators update to version 3.57.0 immediately to restore the confidentiality and integrity of their data transfers.