CVE-2025-9232
📋 TL;DR
OpenSSL HTTP client API functions have an out-of-bounds read vulnerability when processing IPv6 addresses in URLs with the 'no_proxy' environment variable set. This can cause application crashes leading to Denial of Service. Applications using OpenSSL HTTP client functions directly or through OCSP/CMP clients are affected.
💻 Affected Systems
- OpenSSL
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Application crash leading to Denial of Service for services using OpenSSL HTTP client functions with attacker-controlled URLs.
Likely Case
Limited impact due to specific requirements: attacker-controlled URL, 'no_proxy' environment variable set, and using IPv6 addresses. Most real-world deployments won't meet all conditions.
If Mitigated
No impact if applications don't use OpenSSL HTTP client functions with IPv6 URLs or if 'no_proxy' is not set.
🎯 Exploit Status
Exploitation requires multiple conditions: attacker-controlled URL, 'no_proxy' environment variable set, IPv6 address in URL. OCSP/CMP client URLs are unlikely to be attacker-controlled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after the vulnerable releases (apply latest security updates)
Vendor Advisory: https://github.com/openssl/openssl/commits
Restart Required: No
Instructions:
1. Identify OpenSSL version with 'openssl version'. 2. If version matches affected range, update to latest OpenSSL release. 3. Recompile/redeploy applications using OpenSSL.
🔧 Temporary Workarounds
Unset no_proxy environment variable
allRemove or unset the 'no_proxy' environment variable to prevent triggering the vulnerability
unset no_proxy
Avoid IPv6 addresses in HTTP URLs
allConfigure applications to use IPv4 addresses or hostnames instead of IPv6 addresses in URLs passed to OpenSSL HTTP client functions
🧯 If You Can't Patch
- Unset 'no_proxy' environment variable in all affected environments
- Configure applications to avoid passing IPv6 addresses in URLs to OpenSSL HTTP client functions
🔍 How to Verify
Check if Vulnerable:
Check OpenSSL version with 'openssl version'. If version is 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0, or 3.5.0, system is vulnerable.Check Version:
openssl versionVerify Fix Applied:
After updating, run 'openssl version' to confirm version is newer than affected releases.📡 Detection & Monitoring
Log Indicators:
- Application crashes or segmentation faults when processing HTTP requests with IPv6 addresses
Network Indicators:
- Unusual HTTP requests containing IPv6 addresses to applications using OpenSSL
SIEM Query:
Search for application crash logs containing 'openssl', 'segmentation fault', or 'SIGSEGV' when 'no_proxy' is set🔗 References
- https://github.com/openssl/openssl/commit/2b4ec20e47959170422922eaff25346d362dcb35
- https://github.com/openssl/openssl/commit/654dc11d23468a74fc8ea4672b702dd3feb7be4b
- https://github.com/openssl/openssl/commit/7cf21a30513c9e43c4bc3836c237cf086e194af3
- https://github.com/openssl/openssl/commit/89e790ac431125a4849992858490bed6b225eadf
- https://github.com/openssl/openssl/commit/bbf38c034cdabd0a13330abcc4855c866f53d2e0
- https://openssl-library.org/news/secadv/20250930.txt
- http://www.openwall.com/lists/oss-security/2025/09/30/5
