Out-of-Bounds Read Vulnerability in OpenSSL HTTP Client API Functions
CVE-2025-9232

Currently unrated

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
30 September 2025

What is CVE-2025-9232?

An application utilizing the OpenSSL HTTP client API may experience an out-of-bounds read under specific configurations, particularly when the 'no_proxy' environment variable is set while processing an IPv6 address in the HTTP URL. This issue can result in application crashes, causing Denial of Service. The vulnerability specifically arises when an attacker-controlled URL is provided to the OpenSSL function. It is important to note that the impact of this vulnerability is somewhat limited, as it requires explicit conditions to manifest, and the affected HTTP client implementation is separate from OpenSSL's FIPS modules.

Affected Version(s)

OpenSSL 3.5.0 < 3.5.4

OpenSSL 3.4.0 < 3.4.3

OpenSSL 3.3.3 < 3.3.5

References

https://openssl-library.org/news/secadv/20250930.txt
vendor-advisory
https://github.com/openssl/openssl/commit/2b4ec20e4795917...
patch
https://github.com/openssl/openssl/commit/7cf21a30513c9e4...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stanislav Fort (Aisle Research)
Stanislav Fort (Aisle Research)
JSON
.
CVE-2025-9232 : Out-of-Bounds Read Vulnerability in OpenSSL HTTP Client API Functions