Login Sign Up

CVE-2025-69420

7.5 HIGH
Denial of Service

📋 TL;DR

A type confusion vulnerability in OpenSSL's TimeStamp Response verification allows attackers to cause denial of service by providing malformed timestamp responses. Applications that verify timestamp responses using TS_RESP_verify_response() are affected. The vulnerability exists in multiple OpenSSL versions but has low severity due to limited usage of the TimeStamp protocol.

💻 Affected Systems

Products:
  • OpenSSL
Versions: OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1
Operating Systems: All operating systems using affected OpenSSL versions
Default Config Vulnerable: ⚠️ Yes
Notes: FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected. OpenSSL 1.0.2 is not affected.

📦 What is this software?

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crash leading to denial of service for services that verify timestamp responses

🟠

Likely Case

Limited denial of service affecting specific timestamp verification functionality

🟢

If Mitigated

No impact if timestamp response verification is disabled or not used

🌐 Internet-Facing: LOW - TimeStamp protocol is not widely used and requires specific malformed input
🏢 Internal Only: LOW - Same limited impact, requires specific timestamp verification functionality

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires providing malformed TimeStamp Response to applications that verify them. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in commits referenced in CVE details

Vendor Advisory: https://github.com/openssl/openssl/commit/27c7012c91cc986a598d7540f3079dfde2416eb9

Restart Required: Yes

Instructions:

1. Update OpenSSL to patched version 2. Recompile applications linked against OpenSSL 3. Restart affected services

🔧 Temporary Workarounds

Disable TimeStamp Response verification

all

Disable or remove timestamp response verification functionality if not required

Configure applications to not use TS_RESP_verify_response()

🧯 If You Can't Patch

  • Implement network filtering to block malformed timestamp responses
  • Monitor for application crashes related to timestamp verification

🔍 How to Verify

Check if Vulnerable:

Check OpenSSL version with 'openssl version' command

Check Version:

openssl version

Verify Fix Applied:

Verify OpenSSL version is updated and applications are recompiled

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when processing timestamp responses
  • Segmentation faults in OpenSSL timestamp functions

Network Indicators:

  • Malformed timestamp response traffic to applications

SIEM Query:

Process crashes with OpenSSL timestamp functions in stack trace

📊 Metadata

CVE ID: CVE-2025-69420
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-754
EPSS Score: 0.07% exploit probability (21.3th percentile)
Published: January 27, 2026
Last Updated: February 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69420, you might also want to check these:

CVE-2026-24054 10.0

A vulnerability in Kata Containers allows malformed container images with no layers to cause the hos...

Same vulnerability type (CWE-754)
CVE-2021-0211 10.0

This vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows attackers to send specia...

Same vulnerability type (CWE-754)
CVE-2024-3729 9.8

This vulnerability in the Frontend Admin WordPress plugin allows unauthenticated attackers to manipu...

Same vulnerability type (CWE-754)