VDB
CVE-2025-49087
CVE-2025-49087
PUBLISHED
CVSS 4 MEDIUM
In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS#7 padding mode is used.
EPSS 0.43% · 62.7th percentile
Risk Scores
CVSS v3.1
4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
EPSS Score
0.43%
62.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mbed | mbedtls | 3.6.1 |
| arm | mbed_tls | 3.6.1 |
| mbed | mbedtls | 3.6.1 |
Timeline
- Jul 20, 2025 CVE Published
- Jul 20, 2025 Coalition ESS Score
- Jul 21, 2025 EPSS Score
- Jul 21, 2025 CVE Updated
- Jul 22, 2025 Coalition ESS Score
- Jul 30, 2025 EPSS Score
- Aug 7, 2025 Coalition ESS Score
- Aug 8, 2025 EPSS Score
- Aug 17, 2025 EPSS Score
- Aug 22, 2025 Coalition ESS Score
- Aug 26, 2025 EPSS Score
- Aug 26, 2025 Coalition ESS Score
References
- https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/ url
- https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-5.md url
- https://nvd.nist.gov/vuln/detail/CVE-2025-49087 advisory
- https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories url