CVE-2025-15346

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-15346
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-15346.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-15346
Aliases
Downstream
Published
2026-01-08T00:15:59.393Z
Modified
2026-03-14T12:41:46.341288Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
[none]
Details

A vulnerability in the handling of verifymode = CERTREQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced. 

Because the WOLFSSLVERIFYFAILIFNOPEERCERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided. 

This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake. 

The issue affects versions up to and including 5.8.2.

References

Affected packages

Git / github.com/wolfssl/wolfssl-py

Affected ranges

Type
GIT
Repo
https://github.com/wolfssl/wolfssl-py
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b4517dece79f682a8f453abce5cfc0b81bae769d
Type
GIT
Repo
https://github.com/wolfssl/wolfssl-py
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
05433e92b6faa37bd584d28f1a898c97cfccb20d

Affected versions

v3.*
v3.12.2
v3.13.0-0
v3.13.0-1
v3.15.7-0
v4.*
v4.1.0-0
v5.*
v5.3.0-stable
v5.4.0-stable
v5.5.3-stable
v5.5.4
v5.6.0-stable
v5.6.6-stable
v5.7.2-stable
v5.7.4-stable
v5.8.2-stable

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-15346.json"