Out-of-Bounds Vulnerability in OpenSSL CMS with Password-Based Encryption
CVE-2025-9230

7.5HIGH

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
30 September 2025

What is CVE-2025-9230?

CVE-2025-9230 is an out-of-bounds vulnerability identified in OpenSSL's implementation of Cryptographic Message Syntax (CMS) that utilizes password-based encryption. OpenSSL is a widely used library that provides a robust framework for implementing cryptographic functions within software applications. This vulnerability arises when an application attempts to decrypt CMS messages that have been encrypted using this kind of password-based scheme. The flaw can lead to out-of-bounds read and write operations, which may significantly disrupt the typical functioning of the application.

In technical terms, the out-of-bounds read could result in a crash, effectively causing a Denial of Service (DoS). Moreover, the out-of-bounds write operation poses a risk of memory corruption, which could lead to unintended behavior, including a possible Denial of Service or the execution of arbitrary code supplied by an attacker. Although the potential consequences of exploitation are severe, the actual implementation of password-based encryption in CMS messages is rare, which lowers the likelihood of an attacker successfully exploiting this vulnerability. As a result, the severity of CVE-2025-9230 has been assessed as moderate according to OpenSSL’s security policies.

Potential impact of CVE-2025-9230

  1. Denial of Service: The out-of-bounds read could cause a crash in applications that handle CMS messages, leading to service interruptions and potentially affecting business operations reliant on these applications.

  2. Memory Corruption: The out-of-bounds write may corrupt memory, possibly allowing an attacker to manipulate program execution, which could result in unexpected application behavior or crashes.

  3. Execution of Arbitrary Code: In severe cases, the memory corruption caused by the out-of-bounds write could allow an attacker to execute code of their choice within the context of the application, leading to unauthorized access and control over the system.

Affected Version(s)

OpenSSL 3.5.0 < 3.5.4

OpenSSL 3.4.0 < 3.4.3

OpenSSL 3.3.0 < 3.3.5

References

https://openssl-library.org/news/secadv/20250930.txt
vendor-advisory
https://github.com/openssl/openssl/commit/bae259a211ada63...
patch
https://github.com/openssl/openssl/commit/9e91358f365dee6...
patch

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stanislav Fort (Aisle Research)
Stanislav Fort (Aisle Research)
Viktor Dukhovni
JSON
.
CVE-2025-9230 : Out-of-Bounds Vulnerability in OpenSSL CMS with Password-Based Encryption