CVE-2025-23419

NameCVE-2025-23419
DescriptionWhen multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1095403

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nginx (PTS)bullseye (security), bullseye1.18.0-6.1+deb11u3vulnerable
bookworm1.22.1-9vulnerable
trixie1.26.0-3vulnerable
sid1.26.3-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nginxsource(unstable)1.26.3-21095403

Notes

https://www.openwall.com/lists/oss-security/2025/02/05/8
https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e (release-1.26.3)
Search for package or bug name: Reporting problems