JLSEC-2025-227

See a problem?
Please try reporting it to the source first.
Source
https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2025/JLSEC-2025-227.md
Import Source
https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-227.json
JSON Data
https://api.osv.dev/v1/vulns/JLSEC-2025-227
Upstream
Published
2025-11-21T15:59:04.054Z
Modified
2025-11-21T16:18:04.622958Z
Summary
Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted ...
Details

Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtlssslset_hostname.

Database specific 
{
    "license": "CC-BY-4.0",
    "sources": [
        {
            "id": "CVE-2025-27809",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27809",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-27809",
            "published": "2025-03-25T06:15:41Z",
            "modified": "2025-07-17T15:57:21.527Z",
            "imported": "2025-11-20T23:04:02.701Z"
        }
    ]
}
References

Affected packages

Julia / MbedTLS_jll

Package

Name
MbedTLS_jll
Purl
pkg:julia/MbedTLS_jll?uuid=c8ffd9c3-330d-5841-b78e-0817d7145fa1

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.28.10+0