VDB
CVE-2025-27809
CVE-2025-27809
PUBLISHED
CVSS 5.400000095367432 MEDIUM
Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.
EPSS 0.14% · 33.8th percentile
Risk Scores
CVSS v3.1
5.400000095367432
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score
0.14%
33.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mbed | mbedtls | 0, 3.0.0 |
| mbed | mbedtls | 0, 3.0.0 |
| arm | mbed_tls | 0, 3.0.0 |
Timeline
- Mar 24, 2025 PoC Published
- Mar 24, 2025 PoC Published
- Mar 25, 2025 CVE Published
- Mar 25, 2025 EPSS Score
- Mar 25, 2025 Coalition ESS Score
- Mar 25, 2025 PoC Published
- Mar 25, 2025 CVE Updated
- Mar 27, 2025 Coalition ESS Score
- Apr 7, 2025 EPSS Score
- Apr 20, 2025 EPSS Score
- May 3, 2025 EPSS Score
- May 16, 2025 EPSS Score
References
- https://github.com/Mbed-TLS/mbedtls/releases url
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/ url
- https://mastodon.social/@bagder/114219540623402700 url
- https://github.com/Mbed-TLS/mbedtls/issues/466 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-27809 advisory
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1 url