CVE-2025-59154

Name of the Vulnerable Software and Affected Versions Openfire versions prior to 5.0.2 Openfire version 5.1.0

Description Openfire’s SASL EXTERNAL mechanism for client TLS authentication contains a flaw in how it extracts user identities from X.509 certificates. The code uses X509Certificate.getSubjectDN().getName() and a regular expression to identify the Common Name (CN), which does not properly escape special characters. This allows a malicious certificate to embed CN= within another attribute value, causing the regex to incorrectly extract a different identity. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this enables an attacker to impersonate another user. The primary risk exists in private CA environments and client certificate authentication where identity mapping relies solely on the CN.

Recommendations Openfire versions prior to 5.0.2: Upgrade to version 5.0.2 or later. Openfire version 5.1.0: Upgrade to version 5.1.0 or later. As a temporary workaround, configure Openfire to use only the Subject Alternative Name (SAN) mapper: org.jivesoftware.util.cert.SANCertificateIdentityMapping. Alternatively, disable certificate-based authentication for server-to-server connections or mutual authentication for client-to-server connections.