CVE-2016-2402

MEDIUM

OkHttp < 2.7.4 and 3.x < 3.1.2 - Certificate Pinning Bypass via Trusted CA Certificate Chain

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-2402. PoCs published by ikoz.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2016-2402, a certificate pinning bypass vulnerability. The script sets up a malicious HTTPS server that serves a crafted certificate chain to intercept traffic from vulnerable applications.

Description

OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.

Exploits (2)

nomisec WORKING POC 13 stars
by ikoz · poc
https://github.com/ikoz/cert-pinning-flaw-poc

This repository contains a functional proof-of-concept exploit for CVE-2016-2402, a certificate pinning bypass vulnerability. The script sets up a malicious HTTPS server that serves a crafted certificate chain to intercept traffic from vulnerable applications.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Android applications with vulnerable certificate pinning implementations
No auth needed
Prerequisites: Trusted CA certificate and key · Ability to redirect traffic to the malicious server
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 10 stars
by ikoz · poc
https://github.com/ikoz/certPinningVulnerableOkHttp

This repository contains a functional PoC demonstrating CVE-2016-2402, a certificate pinning bypass vulnerability in OkHttp 3.0.1. The app uses OkHttp with certificate pinning enabled but is vulnerable due to improper validation, allowing MITM attacks.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: OkHttp 3.0.1
No auth needed
Prerequisites: Proxy setup with a trusted CA certificate · Java runtime environment
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5
Core References
Technical Description, Third Party Advisory x_refsource_misc
https://koz.io/pinning-cve-2016-2402/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/02/10/8
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/02/18/7

Scores

CVSS v3 5.9
EPSS 0.0225
EPSS Percentile 80.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-295
Status published
Products (6)
com.squareup.okhttp3/okhttp 0 - 2.7.4Maven
squareup/okhttp < 2.7.3
squareup/okhttp3 3.0.0 (2 CPE variants)
squareup/okhttp3 3.0.1
squareup/okhttp3 3.1.0
squareup/okhttp3 3.1.1
Published Jan 30, 2017
Tracked Since Feb 18, 2026