DLSEC-2025-1: 3X-UI Update Accepts Forged Server Certificates

Affected Versions: < v2.5.3
CWE: 295 Improper Certificate Validation

3X-UI is an Xray panel that supports multiple protocols and users with features including expiration dates, traffic limits, IP restrictions, and compatibility with Vmess, Vless, Trojan, ShadowSocks, and Wireguard.

3X-UI before v2.5.3 does not verify certificates when downloading menu updates. This is caused by the management script x-ui passing the --no-check-certificate option to wget.

An attacker who can intercept the connection (through DNS poisoning, MITM attack, etc.) could serve a malicious version of the script that would be downloaded and made executable. The x-ui script requires root privileges to run, meaning any code execution resulting from this vulnerability would occur with full system privileges. This could lead to complete system compromise when administrators attempt to update their 3X-UI installation.

The vulnerability was fixed in https://github.com/MHSanaei/3x-ui/pull/2661.

DLSEC-2025-1: 3X-UI Update Accepts Forged Server Certificates ​

DLSEC-2025-1: 3X-UI Update Accepts Forged Server Certificates