Platform
python
Component
wolfssl
Fixed in
5.8.3
5.8.4.post0
CVE-2025-15346 is a critical vulnerability affecting the wolfssl-py Python package. This flaw stems from an incorrect handling of client certificate verification modes, specifically when verifymode = CERTREQUIRED is set. Consequently, mutual TLS (mTLS) client authentication can be bypassed, allowing attackers to establish connections without presenting a client certificate. Affected versions include those prior to 5.8.4.post0, and a fix has been released.
The core impact of CVE-2025-15346 is the circumvention of mTLS authentication. mTLS is a security protocol that requires both the client and server to present valid certificates during the TLS handshake, providing a strong layer of authentication. By exploiting this vulnerability, an attacker can connect to a server as if they were a legitimate client, potentially gaining unauthorized access to sensitive data and resources. This could include accessing APIs, databases, or other backend systems protected by mTLS. The lack of certificate verification effectively renders the mTLS implementation useless, exposing systems to significant risk. The potential for data breaches and unauthorized access is high, particularly in environments where mTLS is relied upon for critical security controls.
CVE-2025-15346 was published on 2026-01-08. The vulnerability's criticality (CVSS 9.5) indicates a high probability of exploitation. Public proof-of-concept (PoC) code is not currently available, but the ease of exploitation (simply omitting the client certificate) suggests that PoCs are likely to emerge. It is not currently listed on CISA KEV. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting wolfssl-py.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
The primary mitigation for CVE-2025-15346 is to upgrade to version 5.8.4.post0 or later of the wolfssl-py package. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. While not a complete solution, strengthening server-side authentication checks (e.g., verifying client IP addresses or other contextual information) can add an additional layer of defense. Review and audit all mTLS configurations to ensure proper certificate validation is enforced wherever possible. After upgrading, confirm the fix by attempting a connection without a client certificate and verifying that the connection is rejected.
Update the wolfssl-py library to version 5.8.4 or higher. This corrects the incorrect client certificate validation in CERT_REQUIRED mode. You can update using pip: `pip install --upgrade wolfssl-py`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15346 is a critical vulnerability in the wolfssl-py Python package where client certificate requirements are not fully enforced, allowing attackers to bypass mTLS authentication by omitting a client certificate.
You are affected if you are using wolfssl-py versions prior to 5.8.4.post0 and rely on mTLS for authentication.
Upgrade to version 5.8.4.post0 or later of the wolfssl-py package. If immediate upgrade is not possible, consider temporary workarounds like strengthening server-side authentication checks.
While no active exploitation has been confirmed, the vulnerability's criticality and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the official wolfssl advisory and security announcements on the wolfssl website for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.