CVE-2025-27809

Published: 3/25/2025 Last updated: 3/25/2025 Reserved: 3/7/2025

Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.

CNA assigner: mitre (8254265b-2729-46b6-b9e3-3dfca2d5bfca) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	5.4	Medium	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Opam packages affected (1)

conf-mbedtls

Products affected (1)

Product	Vendor	Version
mbedtls	Mbed	1.2.5

References (4)

https://github.com/Mbed-TLS/mbedtls/releases
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/
https://mastodon.social/@bagder/114219540623402700
https://github.com/Mbed-TLS/mbedtls/issues/466