Security Flaw in Openfire's Client TLS Authentication Process
CVE-2025-59154

5.9MEDIUM

Key Information:

Vendor

Igniterealtime

Status
Openfire
Vendor
CVE Published:
15 September 2025

What is CVE-2025-59154?

Openfire, an open-source XMPP server, has a critical vulnerability in its SASL EXTERNAL mechanism for TLS client authentication. The issue arises in the handling of user identities extracted from X.509 certificates. Instead of correctly parsing structured ASN.1 data, the server improperly utilizes a method that fetches the Distinguished Name (DN) and applies a regular expression to identify the Common Name (CN). This method can allow a malicious actor to manipulate the contents of the CN, enabling them to impersonate another user if SASL EXTERNAL is enabled and configured to map CNs to user accounts. Remedial measures are included in Openfire versions 5.0.2 and 5.1.0.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Openfire < 5.0.2

References

https://github.com/igniterealtime/Openfire/security/advis...
x_refsource_CONFIRM
https://github.com/igniterealtime/Openfire/blob/8d073dda3...
x_refsource_MISC
https://igniterealtime.atlassian.net/browse/OF-3122
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.