CVE-2025-23419

MEDIUM EPSS 83.1%

Published Feb 5, 20251y ago · Modified Jun 17, 20261w ago

5.3 CVSS 4.0

Medium

Published Feb 5, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Details

Base Score

5.3

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

83.1% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-863 Incorrect Authorization Authorization

Affected Products 8

Vendor	Product	Version	Range
f5	nginx	*	≥1.11.4 – <1.26.3
f5	nginx	*	≥1.27.0 – <1.27.4
f5	nginx_plus	*	≥r28 – <r32
f5	nginx_plus	r32	any
f5	nginx_plus	r32	any
f5	nginx_plus	r33	any
f5	nginx_plus	r33	any
debian	debian_linux	11.0	any

References 3

openwall.com http://www.openwall.com/lists/oss-security/2025/02/05/8

Mailing ListThird Party Advisory
lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00017.html

Issue TrackingThird Party Advisory
my.f5.com https://my.f5.com/manage/s/article/K000149173

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.