← back
CVE-2025-27809

CVE-2025-27809

CVSS 5.4 MEDIUMEPSS 0.2%CWE-1188
Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Affected products
Mbed · mbedtls

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/Mbed-TLS/mbedtls/issues/466https://github.com/Mbed-TLS/mbedtls/releaseshttps://mastodon.social/@bagder/114219540623402700https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/