CVE-2025-35434: 
Homebrew vulnerability analysis and mitigation

CISA Thorium, a framework used for malware analysis, contains a vulnerability (CVE-2025-35434) where it fails to validate TLS certificates when connecting to Elasticsearch. The vulnerability was discovered and disclosed in September 2025, affecting all versions of CISA Thorium prior to version 1.1.2. This security flaw is classified as CWE-295 (Improper Certificate Validation) (NVD, CSAF).

The vulnerability stems from improper certificate validation in the TLS connection process to Elasticsearch services. The issue has been assigned a CVSS v3.1 base score of 4.2 (MEDIUM) with a vector string of CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating adjacent network attack vector with high attack complexity. The vulnerability requires no privileges or user interaction and can potentially impact both confidentiality and integrity at a low level (NVD).

An unauthenticated attacker with access to a Thorium cluster could potentially impersonate the Elasticsearch service due to the lack of proper TLS certificate validation. This could lead to unauthorized access to data and potential manipulation of information flowing between Thorium and Elasticsearch (CSAF).

The vulnerability has been fixed in CISA Thorium version 1.1.2. Organizations using affected versions should upgrade to version 1.1.2 or later to address this security issue. The fix implements proper TLS certificate validation for Elasticsearch connections (Release Notes).

The vulnerability was discovered and reported by OpenAI Security Research, demonstrating ongoing security research efforts in the field of malware analysis tools. The fix was promptly implemented by the CISA Thorium development team, showing their commitment to maintaining security in their software (CSAF).