CVE-2025-11935 — Vulnetix

CVE-2025-11935 PUBLISHED CVSS 6.300000190734863 MEDIUM

With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection.

EPSS 0.01% · 2.0th percentile

Risk Scores

CVSS 4.0

6.300000190734863

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS Score

0.01%

2.0th percentile

Affected Products

Vendor	Product	Versions
wolfssl	wolfssl	5.8.2
wolfSSL	wolfSSL	3.12.0

Exploit Intelligence

https://github.com/wolfSSL/wolfssl (circl)
https://github.com/wolfSSL/wolfssl/pull/9112 (circl)

Timeline

Jan 21, 1970 Fix PR Merged
Oct 17, 2025 CVE ID Reserved
Nov 21, 2025 Coalition ESS Score
Nov 21, 2025 CVE Published
Nov 22, 2025 EPSS Score
Nov 27, 2025 EPSS Score
Dec 1, 2025 Coalition ESS Score
Dec 2, 2025 EPSS Score
Dec 3, 2025 Coalition ESS Score
Dec 4, 2025 Coalition ESS Score
Dec 6, 2025 EPSS Score
Dec 6, 2025 Coalition ESS Score

References

Open in Interactive Console →