Cyberduck and Mountain Duck improper handle TLS certificate pinning for untrusted certificates (e.g., self-signed), since the certificate fingerprint is stored as SHA-1, although SHA-1 is considered weak.
This issue affects Cyberduck: through 9.1.6; Mountain Duck: through 4.17.5.
{
"cna_assigner": "sba-research",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/41xxx/CVE-2025-41256.json",
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"last_affected": "4.17.5"
}
]
}
],
"cwe_ids": [
"CWE-328"
]
}{
"source": [
"AFFECTED_FIELD",
"DESCRIPTION"
],
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "9.1.6"
},
{
"fixed": "9.1.6"
}
]
}