प्लेटफ़ॉर्म
python
घटक
wolfssl
में ठीक किया गया
5.8.3
5.8.4.post0
CVE-2025-15346 is a critical vulnerability affecting the wolfssl-py Python package. This flaw stems from an incorrect handling of client certificate verification modes, specifically when verifymode = CERTREQUIRED is set. Consequently, mutual TLS (mTLS) client authentication can be bypassed, allowing attackers to establish connections without presenting a client certificate. Affected versions include those prior to 5.8.4.post0, and a fix has been released.
The core impact of CVE-2025-15346 is the circumvention of mTLS authentication. mTLS is a security protocol that requires both the client and server to present valid certificates during the TLS handshake, providing a strong layer of authentication. By exploiting this vulnerability, an attacker can connect to a server as if they were a legitimate client, potentially gaining unauthorized access to sensitive data and resources. This could include accessing APIs, databases, or other backend systems protected by mTLS. The lack of certificate verification effectively renders the mTLS implementation useless, exposing systems to significant risk. The potential for data breaches and unauthorized access is high, particularly in environments where mTLS is relied upon for critical security controls.
CVE-2025-15346 was published on 2026-01-08. The vulnerability's criticality (CVSS 9.5) indicates a high probability of exploitation. Public proof-of-concept (PoC) code is not currently available, but the ease of exploitation (simply omitting the client certificate) suggests that PoCs are likely to emerge. It is not currently listed on CISA KEV. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting wolfssl-py.
Systems relying on wolfssl-py for mTLS authentication are at significant risk. This includes applications and services that use wolfssl-py as a client to connect to servers requiring client certificate verification. Shared hosting environments where multiple applications share the same Python environment are particularly vulnerable, as a compromise of one application could potentially expose all others using the vulnerable wolfssl-py version.
• python / supply-chain:
import wolfssl
print(wolfssl.__version__)• python / supply-chain:
import subprocess
result = subprocess.run(['pip', 'show', 'wolfssl'], capture_output=True, text=True)
print(result.stdout)• python / supply-chain:
import os
if os.path.exists('/usr/local/lib/python3.x/site-packages/wolfssl/__init__.py'):
with open('/usr/local/lib/python3.x/site-packages/wolfssl/__init__.py', 'r') as f:
print(f.read()[:100]) # Check for version stringdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.07% (21% शतमक)
CISA SSVC
The primary mitigation for CVE-2025-15346 is to upgrade to version 5.8.4.post0 or later of the wolfssl-py package. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. While not a complete solution, strengthening server-side authentication checks (e.g., verifying client IP addresses or other contextual information) can add an additional layer of defense. Review and audit all mTLS configurations to ensure proper certificate validation is enforced wherever possible. After upgrading, confirm the fix by attempting a connection without a client certificate and verifying that the connection is rejected.
wolfssl-py लाइब्रेरी को संस्करण 5.8.4 या उच्चतर में अपडेट करें। यह CERT_REQUIRED मोड में क्लाइंट प्रमाणपत्र के गलत सत्यापन को ठीक करता है। आप pip का उपयोग करके अपडेट कर सकते हैं: `pip install --upgrade wolfssl-py`।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-15346 is a critical vulnerability in the wolfssl-py Python package where client certificate requirements are not fully enforced, allowing attackers to bypass mTLS authentication by omitting a client certificate.
You are affected if you are using wolfssl-py versions prior to 5.8.4.post0 and rely on mTLS for authentication.
Upgrade to version 5.8.4.post0 or later of the wolfssl-py package. If immediate upgrade is not possible, consider temporary workarounds like strengthening server-side authentication checks.
While no active exploitation has been confirmed, the vulnerability's criticality and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the official wolfssl advisory and security announcements on the wolfssl website for detailed information and updates.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।