CVE-2025-27809

EUVD-2025-8055
Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
armmbed_tls
𝑥
< 2.28.10
armmbed_tls
3.0.0 ≤
𝑥
< 3.6.3
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mbedtls
bionic
ignored
focal
ignored
jammy
ignored
noble
ignored
oracular
ignored
plucky
ignored
questing
needed
xenial
ignored
Common Weakness Enumeration
References
https://github.com/Mbed-TLS/mbedtls/releases
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/
https://github.com/Mbed-TLS/mbedtls/issues/466
https://mastodon.social/@bagder/114219540623402700