CVE-2025-23419

medium

CVSS v3 Base Score

4.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Score

0.6%

Exploitation probability in 30 days

Top 30% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Confidentiality

Low

Integrity

None

Availability

None

Published: February 5, 2025 (462 days ago)

Last Modified: January 27, 2026

Vendor: F5

Description

When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE

CWE-863

Affected Products

f5 nginxf5 nginx plusdebian debian linux

References

🔗 my.f5.com 🔗 www.openwall.com 🔗 lists.debian.org

CVE-2025-23419

Vulnerability Report

Description

CWE

Affected Products

References