CVE-2025-59154
BaseFortify
Publication date: 2025-09-15
Last updated on: 2025-09-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| igniterealtime | openfire | 5.1.0 |
| igniterealtime | openfire | 5.0.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Openfire's SASL EXTERNAL mechanism arises from unsafe parsing of the Common Name (CN) attribute in client X.509 certificates. Instead of properly parsing the structured ASN.1 data, Openfire uses a method that returns an unescaped, provider-dependent string and applies a regex to extract the CN. In some implementations like SunJSSE, special characters inside attribute values are not escaped, allowing an attacker to craft a malicious certificate embedding a fake CN inside another attribute (e.g., OU="CN=admin,"). The regex then incorrectly extracts 'admin' as the CN. If SASL EXTERNAL is enabled and CNs are mapped to user accounts, this allows an attacker to impersonate other users. [1]
How can this vulnerability impact me? :
If you use Openfire with SASL EXTERNAL authentication enabled and map CNs to user accounts, this vulnerability allows an attacker to impersonate other users by presenting a maliciously crafted client certificate. This can lead to unauthorized access to user accounts and potentially sensitive information. The attack requires network access and high privileges but no user interaction. The impact affects confidentiality and integrity but not availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying if your Openfire server is running a vulnerable version prior to 5.0.2 and if SASL EXTERNAL mechanism with CN-based client TLS authentication is enabled. You can check the Openfire version by running commands like `dpkg -l | grep openfire` on Debian-based systems or checking the Openfire admin console. To detect suspicious client certificate usage, you can analyze Openfire logs for authentication attempts using SASL EXTERNAL and look for unusual CN values that may indicate crafted certificates. There are no specific commands provided for direct detection of the vulnerability itself, but monitoring authentication logs and verifying Openfire version are key steps. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Openfire to version 5.0.2 or later, where the vulnerability is fixed by using safe LDAP parsing and preferring SAN-based identities. If upgrading is not immediately possible, you can deploy a custom certificate identity mapping class that safely parses certificates, configure Openfire to prefer SAN-only identity mapping (noting this may break CN-only certificate authentication), or disable certificate-based authentication altogether, understanding the trade-offs involved. [1]