Platform
python
Component
wolfssl
Opgelost in
5.8.3
5.8.4.post0
CVE-2025-15346 is a critical vulnerability affecting the wolfssl-py Python package. This flaw stems from an incorrect handling of client certificate verification modes, specifically when verifymode = CERTREQUIRED is set. Consequently, mutual TLS (mTLS) client authentication can be bypassed, allowing attackers to establish connections without presenting a client certificate. Affected versions include those prior to 5.8.4.post0, and a fix has been released.
The core impact of CVE-2025-15346 is the circumvention of mTLS authentication. mTLS is a security protocol that requires both the client and server to present valid certificates during the TLS handshake, providing a strong layer of authentication. By exploiting this vulnerability, an attacker can connect to a server as if they were a legitimate client, potentially gaining unauthorized access to sensitive data and resources. This could include accessing APIs, databases, or other backend systems protected by mTLS. The lack of certificate verification effectively renders the mTLS implementation useless, exposing systems to significant risk. The potential for data breaches and unauthorized access is high, particularly in environments where mTLS is relied upon for critical security controls.
CVE-2025-15346 was published on 2026-01-08. The vulnerability's criticality (CVSS 9.5) indicates a high probability of exploitation. Public proof-of-concept (PoC) code is not currently available, but the ease of exploitation (simply omitting the client certificate) suggests that PoCs are likely to emerge. It is not currently listed on CISA KEV. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting wolfssl-py.
Systems relying on wolfssl-py for mTLS authentication are at significant risk. This includes applications and services that use wolfssl-py as a client to connect to servers requiring client certificate verification. Shared hosting environments where multiple applications share the same Python environment are particularly vulnerable, as a compromise of one application could potentially expose all others using the vulnerable wolfssl-py version.
• python / supply-chain:
import wolfssl
print(wolfssl.__version__)• python / supply-chain:
import subprocess
result = subprocess.run(['pip', 'show', 'wolfssl'], capture_output=True, text=True)
print(result.stdout)• python / supply-chain:
import os
if os.path.exists('/usr/local/lib/python3.x/site-packages/wolfssl/__init__.py'):
with open('/usr/local/lib/python3.x/site-packages/wolfssl/__init__.py', 'r') as f:
print(f.read()[:100]) # Check for version stringdisclosure
Exploit Status
EPSS
0.07% (21% percentiel)
CISA SSVC
The primary mitigation for CVE-2025-15346 is to upgrade to version 5.8.4.post0 or later of the wolfssl-py package. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. While not a complete solution, strengthening server-side authentication checks (e.g., verifying client IP addresses or other contextual information) can add an additional layer of defense. Review and audit all mTLS configurations to ensure proper certificate validation is enforced wherever possible. After upgrading, confirm the fix by attempting a connection without a client certificate and verifying that the connection is rejected.
Werk de wolfssl-py bibliotheek bij naar versie 5.8.4 of hoger. Dit corrigeert de onjuiste validatie van client certificaten in de CERT_REQUIRED modus. U kunt bijwerken met pip: `pip install --upgrade wolfssl-py`.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-15346 is a critical vulnerability in the wolfssl-py Python package where client certificate requirements are not fully enforced, allowing attackers to bypass mTLS authentication by omitting a client certificate.
You are affected if you are using wolfssl-py versions prior to 5.8.4.post0 and rely on mTLS for authentication.
Upgrade to version 5.8.4.post0 or later of the wolfssl-py package. If immediate upgrade is not possible, consider temporary workarounds like strengthening server-side authentication checks.
While no active exploitation has been confirmed, the vulnerability's criticality and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the official wolfssl advisory and security announcements on the wolfssl website for detailed information and updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.