Primary

Context

wolfSSL Certificate Verification Vulnerability Allowing Domain Name Mismatches

Vulnerability

Patched

A vulnerability exists in wolfSSL versions 5.7.6 prior to 5.8.2 when built with the WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION options. This issue causes the wolfSSL client to improperly verify server certificate domain names, accepting any certificate from a trusted CA regardless of hostname. The flaw arises because the native certificate validation on Apple platforms overrides important verification errors, including those related to hostname matching, allowing insecure connections to be established.

Impact

Exploitation of this vulnerability could lead to man-in-the-middle attacks, as clients may accept fraudulent certificates, allowing attackers to intercept or alter communications.

Remediation

Users are advised to update wolfSSL to version 5.8.2 or later. For those using the OpenSSL compatibility layer, ensure that the native certificate validation feature is disabled on Apple platforms.

Added: Jul 18, 2025, 11:28 PM

Updated: Jul 18, 2025, 11:28 PM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

2.5

exploitability

5.3

remediation

7.7

relevance

0.3

threat

3.2

urgency

10.0

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

2.5

exploitability

5.3

remediation

7.7

relevance

0.3

threat

3.2

urgency

10.0

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

wolfSSL Certificate Verification Vulnerability Allowing Domain Name Mismatches

Vulnerability

Impact

Remediation

Affected Products

wolfSSL

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating