Critical Vulnerability Information Vulnerability Overview CVE ID: CVE-2025-56608 Release Date: September 3, 2025 Last Updated: September 3, 2025 Discoverer: Aninda Saha Vulnerability Details Vulnerability Type: Use of Broken or Risky Cryptographic Algorithm (CWE-327) Affected File: anywheresoftware/b4a/http/OkHttpClientWrapper.java Vulnerable Function: uses Impact: - MD5 is vulnerable to collision attacks - Attackers can generate different inputs that produce the same hash value - Enables replay attacks, forged authentication tokens, password cracking via brute force, and potential unauthorized access Attack Vector Local / Decompiled APK Affected Product Product: Corona Virus Tracker App India Version: 1.0 Vendor: https://www.sourcecodester.com/android/14292/android-corona-virus-tracker-app-india-using-b4a.html Proof of Concept (PoC) Static analysis using MobSF revealed the use of MD5 in authentication code: Recommendations Replace MD5 with secure hashing algorithms such as SHA-256 or SHA-3 Consider using PBKDF2, bcrypt, or Argon2 for password hashing Ensure proper salting and key stretching to enhance security Review overall authentication mechanisms according to OWASP MASVS guidelines Timeline August 2025: Vulnerability discovered September 2, 2025: CVE request submitted to MITRE September 3, 2025: CVE ID assigned (CVE-2025-56608) September 3, 2025: Public advisory released