CVE-2025-27809 Information

Description

Mbed TLS before 2.28.10 and 3.x before 3.6.3 on the client side accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.

Reference

https://github.com/Mbed-TLS/mbedtls/releases https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/ https://github.com/Mbed-TLS/mbedtls/issues/466 https://mastodon.social/@bagder/114219540623402700