Critical (9.2) CVE-2025-67229

TDSA-2025-001

Improper Certificate Validation Allows Response Spoofing

Details Published:

Product
ToDesktop Builder
Affected Versions
ToDesktop Builder before 0.32.1
Fixed In
0.32.1
Credited To
Hunter Wodzenski

Most likely, no action is required

If you have automatic security updates enabled (the default), your application has already been updated automatically. End-users will receive the fix automatically when using your app. No action is required.

What if I have disabled automatic security updates?

The small number of users who have explicitly disabled automatic security updates have been contacted directly by our team to ensure their apps are updated.

For reference, the manual update steps are:

  1. Update ToDesktop Builder to version 0.32.1 or later
  2. Rebuild your application
  3. Release a new version of your app to your users

Summary

An Improper Certificate Validation vulnerability (CWE-295) was identified in applications built with ToDesktop Builder before version 0.32.1. This vulnerability allows an unauthenticated, on-path attacker to spoof backend responses by exploiting insufficient certificate validation.

This issue was proactively identified through our Vulnerability Disclosure Program and resolved before any known exploitation occurred.

Impact

  • Severity: Critical (CVSS 4.0: 9.2)
  • Attack Vector: Network-based, requires attacker to be on-path (e.g., compromised network, malicious proxy)
  • Potential Impact: An attacker in a privileged network position could intercept and modify communications between the application and backend services, potentially leading to unauthorized data disclosure, integrity violations, or malicious content injection.

Technical Details

Applications built with affected versions of ToDesktop Builder did not properly validate TLS/SSL certificates when communicating with a ToDesktop controlled backend service. This improper certificate validation allowed an attacker positioned on the network path (man-in-the-middle) to present fraudulent certificates and intercept or modify traffic.

CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Timeline

All timestamps are in Coordinated Universal Time (UTC).

Date and Time Event
September 14th, 2025 7:37pm Vulnerability reported by Hunter Wodzenski.
September 14th, 2025 9:10pm Fixed version of ToDesktop Builder released.

References