CVE-2025-7395

Summary

A certificate verification error in wolfSSL when building with the WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION options results in the wolfSSL client failing to properly verify the server certificate's domain name, allowing any certificate issued by a trusted CA to be accepted regardless of the hostname.

Affected Software

VendorProductVersion RangeStatus
wolfSSLwolfSSL5.6.4 <= 5.8.0affected

Weaknesses

  • CWE-295: CWE-295 Improper Certificate Validation

Workarounds

Manually load CA certificates into wolfSSL instead of relying on apple native certificate verification, or upgrade to wolfSSL commit fbc483e23a3e42d5430a838230db1f8c90b88d41 or newer

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References