CVE-2025-27809

medium

Description

Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.

References

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/

https://mastodon.social/@bagder/114219540623402700

https://github.com/Mbed-TLS/mbedtls/releases

https://github.com/Mbed-TLS/mbedtls/issues/466

Details

Source: Mitre, NVD

Published: 2025-03-25

Updated: 2025-07-17

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.4

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N