Description
Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.
References (4)
Core 4
Core References
Release Notes
https://github.com/Mbed-TLS/mbedtls/releases
Third Party Advisory
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/
Issue Tracking
https://github.com/Mbed-TLS/mbedtls/issues/466
Not Applicable
https://mastodon.social/@bagder/114219540623402700
Scores
CVSS v3
5.4
EPSS
0.0017
EPSS Percentile
6.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1188
Status
published
Products (2)
arm/mbed_tls
< 2.28.10
trustedfirmware/mbed_tls
3.0.0 - 3.6.3
Published
Mar 25, 2025
Tracked Since
Feb 18, 2026