Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-55014
CVE-2025-55014:
Linux Debian vulnerability analysis and mitigation
Overview
The YouDao plugin for StarDict (CVE-2025-55014) is a security vulnerability discovered in StarDict version 3.0.7+git20220909+dfsg-6 and related versions. The vulnerability involves the plugin sending X11 text selections to Chinese dictionary servers (dict.youdao.com and dict.cn) via unencrypted HTTP connections. This issue was discovered in August 2025 and affects systems running StarDict with the YouDao plugin enabled, particularly in Debian trixie and other distributions (Debian Bug, OSS Security).
Technical details
The vulnerability stems from the YouDao plugin's automatic scanning of X11 selections, where any text selected in any application is automatically sent to dict.youdao.com and dict.cn servers using plaintext HTTP. The issue is particularly concerning as it operates by default when the plugin is enabled. Network traffic analysis shows the plugin sends GET requests to these servers containing the selected text, using an outdated User-Agent string and unencrypted HTTP protocol. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N (NVD).
Impact
The vulnerability can lead to the inadvertent exposure of sensitive information, as any text selected by users (including passwords, private messages, or confidential data) could be transmitted to external servers without encryption. This creates a significant privacy risk, especially in multi-user environments or when handling sensitive data. The impact is particularly severe as the feature operates by default without user awareness (OSS Security).
Mitigation and workarounds
Several mitigation options are available: users can disable the network dictionary plugins (dict.cn and youdao.com), enable the 'Only scan while the modifier key is being pressed' option under 'Scan Selection' settings, or switch to Wayland which provides application sandboxing by default. The Debian maintainer has proposed splitting the network dictionary plugins into a separate package with appropriate warnings about the data transmission (Debian Bug).
Community reactions
The vulnerability has sparked discussion in the Debian community, with some developers and users expressing concern about the privacy implications. The Debian maintainer initially classified the issue as a feature rather than a security problem, but later acknowledged the need for changes in package management and user notifications. The issue has drawn parallels to a similar vulnerability (CVE-2009-2260) from 2009, highlighting ongoing concerns about privacy in dictionary applications (OSS Security).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management