CVE-2025-9232

Name of the Vulnerable Software and Affected Versions OpenSSL versions 3.0.16 through 3.5.0 EDK II (affected versions not specified)

Description An issue has been identified in OpenSSL where an application using the HTTP client API functions may trigger an out-of-bounds read if the no proxy environment variable is set and the host portion of the HTTP URL is an IPv6 address. This can lead to a denial of service for the application. The vulnerable code was introduced in releases 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0, and 3.5.0. The FIPS modules are not affected, as the HTTP client implementation is outside the FIPS module boundary. The vulnerability requires an attacker-controlled URL to be passed to the OpenSSL function and the user must have the no proxy environment variable set. The issue was assessed as having low severity. The HTTP client API functions are used directly by applications and also by the OCSP and CMP client implementations within OpenSSL, though URLs used by these implementations are unlikely to be controlled by an attacker.

Recommendations OpenSSL versions 3.0.16 through 3.0.17-1~deb12u3 OpenSSL versions 3.1.8 through 3.5.1-1+deb13u1 OpenSSL versions 3.2.4 through 3.5.1-1+deb13u1 OpenSSL versions 3.3.3 through 3.5.1-1+deb13u1 OpenSSL versions 3.4.0 through 3.5.1-1+deb13u1 OpenSSL version 3.5.0 through 3.5.1-1+deb13u1 As a temporary workaround, consider disabling the use of the HTTP client API functions if possible. Restrict access to the vulnerable functions HTTP client API functions to minimize the risk of exploitation. Avoid setting the no proxy environment variable if not required.