{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-9232", "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "state": "PUBLISHED", "assignerShortName": "openssl", "dateReserved": "2025-08-20T08:38:12.019Z", "datePublished": "2025-09-30T13:17:19.172Z", "dateUpdated": "2025-09-30T19:22:35.483Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenSSL", "vendor": "OpenSSL", "versions": [{"lessThan": "3.5.4", "status": "affected", "version": "3.5.0", "versionType": "semver"}, {"lessThan": "3.4.3", "status": "affected", "version": "3.4.0", "versionType": "semver"}, {"lessThan": "3.3.5", "status": "affected", "version": "3.3.3", "versionType": "semver"}, {"lessThan": "3.2.6", "status": "affected", "version": "3.2.4", "versionType": "semver"}, {"lessThan": "3.0.18", "status": "affected", "version": "3.0.16", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Stanislav Fort (Aisle Research)"}, {"lang": "en", "type": "remediation developer", "value": "Stanislav Fort (Aisle Research)"}], "datePublic": "2025-09-30T14:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Issue summary: An application using the OpenSSL HTTP client API functions may<br>trigger an out-of-bounds read if the 'no_proxy' environment variable is set and<br>the host portion of the authority component of the HTTP URL is an IPv6 address.<br><br>Impact summary: An out-of-bounds read can trigger a crash which leads to<br>Denial of Service for an application.<br><br>The OpenSSL HTTP client API functions can be used directly by applications<br>but they are also used by the OCSP client functions and CMP (Certificate<br>Management Protocol) client implementation in OpenSSL. However the URLs used<br>by these implementations are unlikely to be controlled by an attacker.<br><br>In this vulnerable code the out of bounds read can only trigger a crash.<br>Furthermore the vulnerability requires an attacker-controlled URL to be<br>passed from an application to the OpenSSL function and the user has to have<br>a 'no_proxy' environment variable set. For the aforementioned reasons the<br>issue was assessed as Low severity.<br><br>The vulnerable code was introduced in the following patch releases:<br>3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.<br><br>The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this<br>issue, as the HTTP client implementation is outside the OpenSSL FIPS module<br>boundary."}], "value": "Issue summary: An application using the OpenSSL HTTP client API functions may\ntrigger an out-of-bounds read if the 'no_proxy' environment variable is set and\nthe host portion of the authority component of the HTTP URL is an IPv6 address.\n\nImpact summary: An out-of-bounds read can trigger a crash which leads to\nDenial of Service for an application.\n\nThe OpenSSL HTTP client API functions can be used directly by applications\nbut they are also used by the OCSP client functions and CMP (Certificate\nManagement Protocol) client implementation in OpenSSL. However the URLs used\nby these implementations are unlikely to be controlled by an attacker.\n\nIn this vulnerable code the out of bounds read can only trigger a crash.\nFurthermore the vulnerability requires an attacker-controlled URL to be\npassed from an application to the OpenSSL function and the user has to have\na 'no_proxy' environment variable set. For the aforementioned reasons the\nissue was assessed as Low severity.\n\nThe vulnerable code was introduced in the following patch releases:\n3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as the HTTP client implementation is outside the OpenSSL FIPS module\nboundary."}], "metrics": [{"format": "other", "other": {"content": {"text": "Low"}, "type": "https://openssl-library.org/policies/general/security-policy/"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "shortName": "openssl", "dateUpdated": "2025-09-30T13:17:19.172Z"}, "references": [{"name": "OpenSSL Advisory", "tags": ["vendor-advisory"], "url": "https://openssl-library.org/news/secadv/20250930.txt"}, {"name": "3.5.4 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/2b4ec20e47959170422922eaff25346d362dcb35"}, {"name": "3.4.3 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/7cf21a30513c9e43c4bc3836c237cf086e194af3"}, {"name": "3.3.5 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/bbf38c034cdabd0a13330abcc4855c866f53d2e0"}, {"name": "3.2.6 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/89e790ac431125a4849992858490bed6b225eadf"}, {"name": "3.0.18 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/654dc11d23468a74fc8ea4672b702dd3feb7be4b"}], "source": {"discovery": "UNKNOWN"}, "title": "Out-of-bounds read in HTTP client no_proxy handling", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-09-30T19:22:31.407504Z", "id": "CVE-2025-9232", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T19:22:35.483Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-9232", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-30T19:22:31.407504Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T19:22:23.941Z"}}], "cna": {"title": "Out-of-bounds read in HTTP client no_proxy handling", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Stanislav Fort (Aisle Research)"}, {"lang": "en", "type": "remediation developer", "value": "Stanislav Fort (Aisle Research)"}], "metrics": [{"other": {"type": "https://openssl-library.org/policies/general/security-policy/", "content": {"text": "Low"}}, "format": "other"}], "affected": [{"vendor": "OpenSSL", "product": "OpenSSL", "versions": [{"status": "affected", "version": "3.5.0", "lessThan": "3.5.4", "versionType": "semver"}, {"status": "affected", "version": "3.4.0", "lessThan": "3.4.3", "versionType": "semver"}, {"status": "affected", "version": "3.3.3", "lessThan": "3.3.5", "versionType": "semver"}, {"status": "affected", "version": "3.2.4", "lessThan": "3.2.6", "versionType": "semver"}, {"status": "affected", "version": "3.0.16", "lessThan": "3.0.18", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2025-09-30T14:00:00.000Z", "references": [{"url": "https://openssl-library.org/news/secadv/20250930.txt", "name": "OpenSSL Advisory", "tags": ["vendor-advisory"]}, {"url": "https://github.com/openssl/openssl/commit/2b4ec20e47959170422922eaff25346d362dcb35", "name": "3.5.4 git commit", "tags": ["patch"]}, {"url": "https://github.com/openssl/openssl/commit/7cf21a30513c9e43c4bc3836c237cf086e194af3", "name": "3.4.3 git commit", "tags": ["patch"]}, {"url": "https://github.com/openssl/openssl/commit/bbf38c034cdabd0a13330abcc4855c866f53d2e0", "name": "3.3.5 git commit", "tags": ["patch"]}, {"url": "https://github.com/openssl/openssl/commit/89e790ac431125a4849992858490bed6b225eadf", "name": "3.2.6 git commit", "tags": ["patch"]}, {"url": "https://github.com/openssl/openssl/commit/654dc11d23468a74fc8ea4672b702dd3feb7be4b", "name": "3.0.18 git commit", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Issue summary: An application using the OpenSSL HTTP client API functions may\ntrigger an out-of-bounds read if the 'no_proxy' environment variable is set and\nthe host portion of the authority component of the HTTP URL is an IPv6 address.\n\nImpact summary: An out-of-bounds read can trigger a crash which leads to\nDenial of Service for an application.\n\nThe OpenSSL HTTP client API functions can be used directly by applications\nbut they are also used by the OCSP client functions and CMP (Certificate\nManagement Protocol) client implementation in OpenSSL. However the URLs used\nby these implementations are unlikely to be controlled by an attacker.\n\nIn this vulnerable code the out of bounds read can only trigger a crash.\nFurthermore the vulnerability requires an attacker-controlled URL to be\npassed from an application to the OpenSSL function and the user has to have\na 'no_proxy' environment variable set. For the aforementioned reasons the\nissue was assessed as Low severity.\n\nThe vulnerable code was introduced in the following patch releases:\n3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as the HTTP client implementation is outside the OpenSSL FIPS module\nboundary.", "supportingMedia": [{"type": "text/html", "value": "Issue summary: An application using the OpenSSL HTTP client API functions may<br>trigger an out-of-bounds read if the 'no_proxy' environment variable is set and<br>the host portion of the authority component of the HTTP URL is an IPv6 address.<br><br>Impact summary: An out-of-bounds read can trigger a crash which leads to<br>Denial of Service for an application.<br><br>The OpenSSL HTTP client API functions can be used directly by applications<br>but they are also used by the OCSP client functions and CMP (Certificate<br>Management Protocol) client implementation in OpenSSL. However the URLs used<br>by these implementations are unlikely to be controlled by an attacker.<br><br>In this vulnerable code the out of bounds read can only trigger a crash.<br>Furthermore the vulnerability requires an attacker-controlled URL to be<br>passed from an application to the OpenSSL function and the user has to have<br>a 'no_proxy' environment variable set. For the aforementioned reasons the<br>issue was assessed as Low severity.<br><br>The vulnerable code was introduced in the following patch releases:<br>3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.<br><br>The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this<br>issue, as the HTTP client implementation is outside the OpenSSL FIPS module<br>boundary.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "shortName": "openssl", "dateUpdated": "2025-09-30T13:17:19.172Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9232", "state": "PUBLISHED", "dateUpdated": "2025-09-30T19:22:35.483Z", "dateReserved": "2025-08-20T08:38:12.019Z", "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "datePublished": "2025-09-30T13:17:19.172Z", "assignerShortName": "openssl"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Issue summary: An application using the OpenSSL HTTP client API functions may\ntrigger an out-of-bounds read if the 'no_proxy' environment variable is set and\nthe host portion of the authority component of the HTTP URL is an IPv6 address.\n\nImpact summary: An out-of-bounds read can trigger a crash which leads to\nDenial of Service for an application.\n\nThe OpenSSL HTTP client API functions can be used directly by applications\nbut they are also used by the OCSP client functions and CMP (Certificate\nManagement Protocol) client implementation in OpenSSL. However the URLs used\nby these implementations are unlikely to be controlled by an attacker.\n\nIn this vulnerable code the out of bounds read can only trigger a crash.\nFurthermore the vulnerability requires an attacker-controlled URL to be\npassed from an application to the OpenSSL function and the user has to have\na 'no_proxy' environment variable set. For the aforementioned reasons the\nissue was assessed as Low severity.\n\nThe vulnerable code was introduced in the following patch releases:\n3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as the HTTP client implementation is outside the OpenSSL FIPS module\nboundary."}], "id": "CVE-2025-9232", "lastModified": "2025-10-02T19:12:17.160", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-09-30T14:15:41.313", "references": [{"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/2b4ec20e47959170422922eaff25346d362dcb35"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/654dc11d23468a74fc8ea4672b702dd3feb7be4b"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/7cf21a30513c9e43c4bc3836c237cf086e194af3"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/89e790ac431125a4849992858490bed6b225eadf"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/bbf38c034cdabd0a13330abcc4855c866f53d2e0"}, {"source": "openssl-security@openssl.org", "url": "https://openssl-library.org/news/secadv/20250930.txt"}], "sourceIdentifier": "openssl-security@openssl.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "openssl-security@openssl.org", "type": "Secondary"}]}

{"bugzilla": {"description": "openssl: Out-of-bounds read in HTTP client no_proxy handling", "id": "2396056", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396056"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-125", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-9232", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "edk2", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "shim", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "shim-unsigned-aarch64", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "shim-unsigned-x64", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "ovmf", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "compat-openssl10", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "edk2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "mingw-openssl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "shim", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "shim-unsigned-x64", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "compat-openssl11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "edk2", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "shim", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "shim-unsigned-aarch64", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "shim-unsigned-x64", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:rhivos:1", "fix_state": "Not affected", "package_name": "compat-openssl11", "product_name": "Red Hat In-Vehicle Operating System 1"}, {"cpe": "cpe:/o:redhat:rhivos:1", "fix_state": "Fix deferred", "package_name": "edk2", "product_name": "Red Hat In-Vehicle Operating System 1"}, {"cpe": "cpe:/o:redhat:rhivos:1", "fix_state": "Fix deferred", "package_name": "openssl", "product_name": "Red Hat In-Vehicle Operating System 1"}, {"cpe": "cpe:/o:redhat:rhivos:1", "fix_state": "Not affected", "package_name": "shim", "product_name": "Red Hat In-Vehicle Operating System 1"}, {"cpe": "cpe:/o:redhat:rhivos:1", "fix_state": "Not affected", "package_name": "shim-unsigned-aarch64", "product_name": "Red Hat In-Vehicle Operating System 1"}, {"cpe": "cpe:/o:redhat:rhivos:1", "fix_state": "Not affected", "package_name": "shim-unsigned-x64", "product_name": "Red Hat In-Vehicle Operating System 1"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Fix deferred", "package_name": "openssl", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-09-30T23:59:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-9232\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-9232"], "statement": "This vulnerability was rated as Low severity because exploitation requires a very specific set of conditions: the application must pass an attacker-controlled IPv6 URL to the OpenSSL HTTP client functions, and the no_proxy environment variable must be set by the user. Even under these conditions, the issue can only lead to an out-of-bounds read resulting in a crash, causing an application level denial of service. There is no potential for information disclosure or remote code execution. Additionally, typical use cases of the OpenSSL HTTP client (e.g., in OCSP or CMP) do not involve attacker-controlled URLs, which further reduces the likelihood of exploitation.", "threat_severity": "Low"}

{"created": "2025-10-02T08:46:19.363998+00:00", "updated": "2025-10-02T08:46:19.364050+00:00", "vendors": ["openssl", "openssl$PRODUCT$openssl"]}