CVE-2025-49015

MEDIUM

Couchbase .NET SDK <3.7.1 - SSL/TLS Info Disclosure

Title source: llm

Description

The Couchbase .NET SDK (client library) before 3.7.1 does not properly enable hostname verification for TLS certificates. In fact, the SDK was also using IP addresses instead of hostnames due to a configuration option that was incorrectly enabled by default.

References (3)

Core 3

Core References

Release Notes

https://docs.couchbase.com/server/current/release-notes/relnotes.html

Issue Tracking

https://forums.couchbase.com/tags/security

Vendor Advisory

https://www.couchbase.com/alerts/

Scores

CVSS v3 4.9

EPSS 0.0016

EPSS Percentile 36.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-297

Status published

Products (2)

couchbase/.net_sdk < 3.7.1

nuget/CouchbaseNetClient 0NuGet

Published Jun 18, 2025

Tracked Since Feb 18, 2026