CVE-2025-15346
Mutual TLS Bypass in wolfssl-py Due to Auth Misconfiguration
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: wolfSSL Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wolfssl | wolfssl-py | to 5.8.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the wolfssl Python package (wolfssl-py) occurs because when the SSL verification mode is set to CERT_REQUIRED, the necessary flag (WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) was not set. As a result, the server treated the mode like CERT_OPTIONAL, meaning it would verify a client certificate if presented but would still allow connections without one. This flaw allows attackers to bypass mutual TLS (mTLS) client authentication by omitting the client certificate during the TLS handshake, leading to improper authentication. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to bypass mutual TLS (mTLS) client authentication. Because the server does not enforce the requirement for a client certificate, unauthorized clients can connect without providing a certificate, potentially gaining access to systems or data that should be protected by strict client authentication. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, monitor TLS handshake logs for connections where client certificates are expected but not presented or verified. Specifically, check if connections are accepted without client certificates when verify_mode is set to CERT_REQUIRED. You can use packet capture tools like tcpdump or Wireshark to inspect TLS handshakes and verify if client certificates are being sent. Additionally, reviewing server logs or enabling debug logging in wolfssl-py to confirm whether the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag is set can help detect improper enforcement. There are no specific commands provided in the resources. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade the wolfssl-py package to version 5.8.4 or later, where the vulnerability is fixed by properly setting the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag when verify_mode is CERT_REQUIRED. This ensures strict client certificate verification and prevents connections without valid client certificates. If upgrading is not immediately possible, review and modify your SSL/TLS configuration to enforce client certificate verification strictly, ensuring that connections without client certificates are rejected. [2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake, resulting in improper authentication. Such a flaw can undermine the security controls required by common standards and regulations like GDPR and HIPAA, which mandate strong authentication and protection of sensitive data. Failure to enforce strict client certificate verification could lead to unauthorized access, potentially causing non-compliance with these regulations. The fix restores proper enforcement of client certificate requirements, thereby improving compliance posture. [1, 2, 3]