TLS 1.3 Vulnerability in wolfSSL Affecting Secure Connections
CVE-2025-11935

6.3MEDIUM

Key Information:

Vendor: Wolfssl
Status: Wolfssl
Vendor: CVE Published:; 21 November 2025

What is CVE-2025-11935?

A vulnerability in wolfSSL allows malicious servers to bypass Perfect Forward Secrecy (PFS) during TLS 1.3 pre-shared key (PSK) connections. When a server responds to a ClientHello message, which requests PFS but does not include the requisite key_share extension, the connection may proceed without the intended PFS safeguards. This oversight significantly undermines the security of the connection by permitting reuse of an authenticated PSK without PFS, exposing clients to potential security risks and data interception.

Affected Version(s)

wolfSSL Linux v5.8.2

References

https://github.com/wolfSSL/wolfssl

https://github.com/wolfSSL/wolfssl/pull/9112

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 21, 2025
Vulnerability Reserved
Oct 17, 2025

Credit

Jaehun Lee, Pohang University of Science and Technology (POSTECH)

Kyungmin Bae, Pohang University of Science and Technology (POSTECH)

JSON