- Description
- Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.
- Source
- openssl-security@openssl.org
- NVD status
- Deferred
CVSS 3.1
- Type
- Secondary
- Base score
- 5.9
- Impact score
- 3.6
- Exploitability score
- 2.2
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
- Severity
- MEDIUM
- openssl-security@openssl.org
- CWE-125
- Hype score
- Not currently trending
kusanagi-openssl モジュール更新情報 3.5.4-1 KUSANAGI 9 を構成している各モジュールのアップデートを行いました。 アップデートにより適用される各モジュールのバージョンは、以下のとおりとなります。 openssl 3.5.
@kusanagi_saya
12 Dec 2025
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
The OpenSSL Project has released updates (3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.1.1zd, 1.0.2zm) addressing 3 CVEs: CVE-2025-9230: Out-of-bounds R/W → possible RCE or DoS CVE-2025-9231: SM2 timing side-channel on ARM → key recovery risk CVE-2025-9232: Out-of-bounds read → Do
@cyber_sec_raj
5 Oct 2025
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
OpenSSL Security Advisory [30th September 2025] https://t.co/YJbVmIwaZn CVE-2025-9230: Out-of-bounds read & write in RFC 3211 KEK Unwrap CVE-2025-9231: Timing side-channel in SM2 algorithm on 64 bit ARM CVE-2025-9232: Out-of-bounds read in HTTP client no_proxy handling
@oss_security
1 Oct 2025
29 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
OpenSSLの脆弱性(Moderate: CVE-2025-9230, CVE-2025-9231, Low: CVE-2025-9232)と3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm, 1.1.1zdリリース - SIOS SECURITY BLOG https://t.co/Zd4daw56H2
@pHo9UBenaA
1 Oct 2025
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-9232 Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host p… https://t.co/rUAUTIEPeU
@CVEnew
30 Sept 2025
314 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes