CVE-2025-27809Initialization of a Resource with an Insecure Default in Mbedtls

CWE-1188Initialization of a Resource with an Insecure Default6 documents6 sources
Severity
5.4MEDIUMNVD
EPSS
0.1%
top 76.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mbed MbedtlsARM Mbed TLS
Timeline
PublishedMar 25

Description

Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.7

Affected Packages3 packages

CVEListV5mbed/mbedtls3.0.03.6.3+1
NVDarm/mbed_tls3.0.03.6.3+1
Debianmbed/mbedtls< 3.6.3-1+1

🔴Vulnerability Details

3
GHSA
GHSA-76fv-m4gp-q47j: Mbed TLS before 22025-03-25
OSV
CVE-2025-27809: Mbed TLS before 22025-03-25
CVEList
CVE-2025-27809: Mbed TLS before 22025-03-25

📋Vendor Advisories

2
Microsoft
Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostnam2025-03-11
Debian
CVE-2025-27809: mbedtls - Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts server...2025
CVE-2025-27809 — Mbed Mbedtls vulnerability | cvebase