aria2c accepts a server certificate that contains an incorrect Extended Key Usage, allowing an attacker who has compromised such a certificate, along with its private key, to reuse it for TLS server authentication. This flaw can lead the client to trust the attacker as a legitimate server, potentially enabling a man‑in‑the‑middle attack, data exfiltration, or injection of malicious content. The primary impact is an authentication bypass that undermines the confidentiality and integrity guarantees of TLS connections used by aria2c.

The vulnerability affects all versions of aria2c distributed by the aria2 Project. No specific versions are listed as affected, and no version restrictions are currently known.

The CVSS score of 4.8 categorizes the weakness as moderate and the EPSS score is not available, indicating a low to moderate risk of exploitation under typical conditions. The flaw requires an attacker to have already compromised a certificate with an incorrect Extended Key Usage, so a successful attack would likely be carried out by an external attacker who also has the private key for that certificate. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread active exploitation. The attack vector would involve the attacker installing the malicious certificate on a server that a user’s aria2c connects to, allowing a man‑in‑the‑middle style compromise. While the potential impact to confidentiality and integrity is serious, the specific prerequisites reduce the likelihood of exploitation for most organizations.