CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1908 vulnerabilities reference this CWE, most recent first.
GHSA-6VCJ-R95X-WJ5W
Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2024-04-04 02:32Man-in-the-middle vulnerability in Micro Focus Self Service Password Reset, affecting all versions prior to 4.4.0.4. The vulnerability could exploit invalid certificate validation and may result in a man-in-the-middle attack.
{
"affected": [],
"aliases": [
"CVE-2019-11674"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-22T15:15:00Z",
"severity": "MODERATE"
},
"details": "Man-in-the-middle vulnerability in Micro Focus Self Service Password Reset, affecting all versions prior to 4.4.0.4. The vulnerability could exploit invalid certificate validation and may result in a man-in-the-middle attack.",
"id": "GHSA-6vcj-r95x-wj5w",
"modified": "2024-04-04T02:32:25Z",
"published": "2022-05-24T16:59:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11674"
},
{
"type": "WEB",
"url": "https://www.netiq.com/documentation/self-service-password-reset-44/release-notes-sspr-44-p4/data/release-notes-sspr-44-p4.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6WRG-CR3C-H2HF
Vulnerability from github – Published: 2024-04-02 00:30 – Updated: 2024-04-02 00:30PDF-XChange Editor Updater Improper Certificate Validation Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is not required to exploit this vulnerability.
The specific flaw exists within the update functionality. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22224.
{
"affected": [],
"aliases": [
"CVE-2024-27323"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-01T22:15:15Z",
"severity": "HIGH"
},
"details": "PDF-XChange Editor Updater Improper Certificate Validation Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is not required to exploit this vulnerability.\n\nThe specific flaw exists within the update functionality. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22224.",
"id": "GHSA-6wrg-cr3c-h2hf",
"modified": "2024-04-02T00:30:46Z",
"published": "2024-04-02T00:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27323"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-198"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-72C7-4G63-HPW5
Vulnerability from github – Published: 2025-10-15 20:12 – Updated: 2025-10-16 14:43Impact
This vulnerability only affects users of the AWS attestor.
Users of the AWS attestor could have unknowingly received a forged identity document. While this may seem unlikely, AWS recently issued a security bulletin about IMDS (Instance Metadata Service) impersonation.[^1]
There are multiple locations where the verification of the identity document will mistakenly report a successful verification.
-
If a signature is not present or is empty https://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L161-L163
-
If the RSA verification of the document fails for any reason https://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L192-L196
Workarounds
The contents of the AWS attestation contain the identity document, signature, and public key that was used to verify the document. These attestations and their could be identity documents could be manually verified with the openssl command line as documented in the below reference from AWS.[^2]
However, the certificate containing the public key was hard-coded into the attestor. https://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L46-L66
Since the original authoring of the attestor, AWS has moved to region specific public certificates. The currently valid certificates were issued around April of 2024, making the identification of attestations with forged content difficult without additional trusted data proving the AWS region in which the attestation was created.
Patches
This vulnerability is addressed in go-witness 0.9.1 and witness 0.10.1.
Resources
[^1]: AWS Security Bulletin on IMDS Impersonation [^2]: Verification of instance identity documents
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/in-toto/go-witness"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62375"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-15T20:12:56Z",
"nvd_published_at": "2025-10-15T20:15:36Z",
"severity": "MODERATE"
},
"details": "### Impact\nThis vulnerability only affects users of the AWS attestor.\n\nUsers of the AWS attestor could have unknowingly received a forged identity document. While this may seem unlikely, AWS recently issued a security bulletin about IMDS (Instance Metadata Service) impersonation.[^1]\n\nThere are multiple locations where the verification of the identity document will mistakenly report a successful verification.\n\n- If a signature is not present or is empty\nhttps://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L161-L163\n\n- If the RSA verification of the document fails for any reason\nhttps://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L192-L196\n\n### Workarounds\nThe contents of the AWS attestation contain the identity document, signature, and public key that was used to verify the document. These attestations and their could be identity documents could be manually verified with the `openssl` command line as documented in the below reference from AWS.[^2]\n\nHowever, the certificate containing the public key was hard-coded into the attestor. \nhttps://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L46-L66\n\nSince the original authoring of the attestor, AWS has moved to region specific public certificates. The currently valid certificates were issued around April of 2024, making the identification of attestations with forged content difficult without additional trusted data proving the AWS region in which the attestation was created.\n\n### Patches\nThis vulnerability is addressed in `go-witness` 0.9.1 and `witness` 0.10.1.\n\n### Resources\n[^1]: [AWS Security Bulletin on IMDS Impersonation](https://aws.amazon.com/security/security-bulletins/rss/aws-2025-021/)\n[^2]: [Verification of instance identity documents](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-iid.html#verify-signature)",
"id": "GHSA-72c7-4g63-hpw5",
"modified": "2025-10-16T14:43:47Z",
"published": "2025-10-15T20:12:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/in-toto/go-witness/security/advisories/GHSA-72c7-4g63-hpw5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62375"
},
{
"type": "WEB",
"url": "https://github.com/in-toto/go-witness/commit/04ff20b600e28ce8fd1aa287534dd383a1cfefb9"
},
{
"type": "PACKAGE",
"url": "https://github.com/in-toto/go-witness"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "go-witness is Vulnerable to Improper Verification of AWS EC2 Identity Documents"
}
GHSA-72MH-269X-7MH5
Vulnerability from github – Published: 2021-05-24 19:52 – Updated: 2021-05-20 21:59The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "xmlhttprequest-ssl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-31597"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-20T21:59:29Z",
"nvd_published_at": "2021-04-23T00:15:00Z",
"severity": "CRITICAL"
},
"details": "The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.",
"id": "GHSA-72mh-269x-7mh5",
"modified": "2021-05-20T21:59:29Z",
"published": "2021-05-24T19:52:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31597"
},
{
"type": "WEB",
"url": "https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2"
},
{
"type": "WEB",
"url": "https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1"
},
{
"type": "WEB",
"url": "https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210618-0004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Improper Certificate Validation in xmlhttprequest-ssl"
}
GHSA-72QJ-48G4-5XGX
Vulnerability from github – Published: 2025-05-07 17:32 – Updated: 2026-01-21 16:54Summary
When verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present any valid cert for a completely different domain they own, and JRuby wouldn't complain.
Details
n/a
PoC
An example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with certificate verify failed (hostname mismatch), but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3
require "net/http"
require "openssl"
uri = URI("https://bad.substitutealert.com/")
https = Net::HTTP.new(uri.host, uri.port)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
body = https.start { https.get(uri.request_uri).body }
puts body
Impact
Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "rubygems:jruby-openssl"
},
"ranges": [
{
"events": [
{
"introduced": "0.12.1"
},
{
"fixed": "0.15.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jruby:jruby"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0.0"
},
{
"fixed": "10.0.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jruby:jruby"
},
"ranges": [
{
"events": [
{
"introduced": "9.3.4.0"
},
{
"fixed": "9.4.12.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "jruby-openssl"
},
"ranges": [
{
"events": [
{
"introduced": "0.12.1"
},
{
"fixed": "0.15.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-46551"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-07T17:32:54Z",
"nvd_published_at": "2025-05-07T17:15:58Z",
"severity": "MODERATE"
},
"details": "### Summary\nWhen verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present _any_ valid cert for a completely different domain they own, and JRuby wouldn\u0027t complain. \n\n### Details\nn/a\n\n### PoC\nAn example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with `certificate verify failed (hostname mismatch)`, but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3\n\n```ruby\nrequire \"net/http\"\nrequire \"openssl\"\n\nuri = URI(\"https://bad.substitutealert.com/\")\nhttps = Net::HTTP.new(uri.host, uri.port)\nhttps.use_ssl = true\nhttps.verify_mode = OpenSSL::SSL::VERIFY_PEER\n\nbody = https.start { https.get(uri.request_uri).body }\nputs body\n```\n\n### Impact\nAnybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely",
"id": "GHSA-72qj-48g4-5xgx",
"modified": "2026-01-21T16:54:31Z",
"published": "2025-05-07T17:32:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46551"
},
{
"type": "WEB",
"url": "https://github.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed285"
},
{
"type": "WEB",
"url": "https://github.com/jruby/jruby-openssl/commit/b1fc5d645c0d90891b8865925ac1c15e3f15a055"
},
{
"type": "PACKAGE",
"url": "https://github.com/jruby/jruby-openssl"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jruby-openssl/CVE-2025-46551.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "JRuby-OpenSSL has hostname verification disabled by default"
}
GHSA-72X2-RJXM-55P4
Vulnerability from github – Published: 2025-07-11 06:30 – Updated: 2025-07-11 06:30The communication protocol used between client and server had a flaw that could be leveraged to execute a man in the middle attack.
{
"affected": [],
"aliases": [
"CVE-2025-30024"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-11T06:15:24Z",
"severity": "MODERATE"
},
"details": "The communication protocol used between client\nand server had a flaw that could be leveraged to execute a man in the middle attack.",
"id": "GHSA-72x2-rjxm-55p4",
"modified": "2025-07-11T06:30:30Z",
"published": "2025-07-11T06:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30024"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/01/d9/24/cve-2025-30024pdf-en-US-485734.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-72X5-8V8J-3PMX
Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30NETGEAR Multiple Routers curl_post Improper Certificate Validation Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of multiple NETGEAR routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the update functionality, which operates over HTTPS. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-19981.
{
"affected": [],
"aliases": [
"CVE-2023-35721"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T02:15:34Z",
"severity": "HIGH"
},
"details": "NETGEAR Multiple Routers curl_post Improper Certificate Validation Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of multiple NETGEAR routers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the update functionality, which operates over HTTPS. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-19981.",
"id": "GHSA-72x5-8v8j-3pmx",
"modified": "2024-05-03T03:30:52Z",
"published": "2024-05-03T03:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35721"
},
{
"type": "WEB",
"url": "https://kb.netgear.com/000065668/Security-Advisory-for-Improper-Remote-Server-Certificate-Validation-on-the-RAX50-PSV-2023-0019"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-893"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7359-3C6R-HFC2
Vulnerability from github – Published: 2021-04-22 16:22 – Updated: 2023-01-24 14:59lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "oauth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-11086"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-20T18:23:58Z",
"nvd_published_at": "2020-09-24T20:15:00Z",
"severity": "HIGH"
},
"details": "lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.",
"id": "GHSA-7359-3c6r-hfc2",
"modified": "2023-01-24T14:59:50Z",
"published": "2021-04-22T16:22:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11086"
},
{
"type": "WEB",
"url": "https://github.com/oauth-xx/oauth-ruby/issues/137"
},
{
"type": "WEB",
"url": "https://github.com/oauth-xx/oauth-ruby/commit/eb5b00a91d4ef0899082fdba929c34ccad6d4ccb"
},
{
"type": "PACKAGE",
"url": "https://github.com/oauth-xx/oauth-ruby"
},
{
"type": "WEB",
"url": "https://github.com/oauth-xx/oauth-ruby/releases/tag/v0.5.5"
},
{
"type": "WEB",
"url": "https://rubygems.org/gems/oauth"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Certificate Validation in oauth ruby gem"
}
GHSA-738X-V49G-P6HX
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2024-10-22 17:24The Scalyr Agent before 2.1.10 has Missing SSL Certificate Validation because, in some circumstances, native Python code is used that lacks a comparison of the hostname to commonName and subjectAltName.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "scalyr-agent-2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-24715"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-13T20:29:13Z",
"nvd_published_at": "2020-08-27T22:15:00Z",
"severity": "CRITICAL"
},
"details": "The Scalyr Agent before 2.1.10 has Missing SSL Certificate Validation because, in some circumstances, native Python code is used that lacks a comparison of the hostname to commonName and subjectAltName.",
"id": "GHSA-738x-v49g-p6hx",
"modified": "2024-10-22T17:24:01Z",
"published": "2022-05-24T17:26:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24715"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/scalyr-agent-2/PYSEC-2020-252.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/scalyr/scalyr-agent-2"
},
{
"type": "WEB",
"url": "https://github.com/scalyr/scalyr-agent-2/blob/v2.1.10/CHANGELOG.md"
},
{
"type": "WEB",
"url": "https://scalyr-static.s3.amazonaws.com/technical-details/index.html"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20211209045826/https://scalyr-static.s3.amazonaws.com/technical-details/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Scalyr Agent 2 Missing SSL Certificate Validation"
}
GHSA-73M2-QFQ3-56CX
Vulnerability from github – Published: 2025-04-24 12:31 – Updated: 2025-05-17 00:30A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.httpcomponents.client5:httpclient5"
},
"ranges": [
{
"events": [
{
"introduced": "5.4-alpha1"
},
{
"fixed": "5.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27820"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-24T16:36:08Z",
"nvd_published_at": "2025-04-24T12:15:16Z",
"severity": "HIGH"
},
"details": "A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release.",
"id": "GHSA-73m2-qfq3-56cx",
"modified": "2025-05-17T00:30:25Z",
"published": "2025-04-24T12:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27820"
},
{
"type": "WEB",
"url": "https://github.com/apache/httpcomponents-client/pull/574"
},
{
"type": "WEB",
"url": "https://github.com/apache/httpcomponents-client/pull/621"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/httpcomponents-client"
},
{
"type": "WEB",
"url": "https://hc.apache.org/httpcomponents-client-5.4.x/index.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250516-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache HttpClient disables domain checks"
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.