{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T18:37:27.042","vulnerabilities":[{"cve":{"id":"CVE-2025-9232","sourceIdentifier":"openssl-security@openssl.org","published":"2025-09-30T14:15:41.313","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Issue summary: An application using the OpenSSL HTTP client API functions may\ntrigger an out-of-bounds read if the 'no_proxy' environment variable is set and\nthe host portion of the authority component of the HTTP URL is an IPv6 address.\n\nImpact summary: An out-of-bounds read can trigger a crash which leads to\nDenial of Service for an application.\n\nThe OpenSSL HTTP client API functions can be used directly by applications\nbut they are also used by the OCSP client functions and CMP (Certificate\nManagement Protocol) client implementation in OpenSSL. However the URLs used\nby these implementations are unlikely to be controlled by an attacker.\n\nIn this vulnerable code the out of bounds read can only trigger a crash.\nFurthermore the vulnerability requires an attacker-controlled URL to be\npassed from an application to the OpenSSL function and the user has to have\na 'no_proxy' environment variable set. For the aforementioned reasons the\nissue was assessed as Low severity.\n\nThe vulnerable code was introduced in the following patch releases:\n3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as the HTTP client implementation is outside the OpenSSL FIPS module\nboundary."},{"lang":"es","value":"Resumen del problema: Una aplicación que utiliza las funciones API del cliente HTTP de OpenSSL puede desencadenar una lectura fuera de límites si la variable de entorno 'no_proxy' está configurada y la porción de host del componente de autoridad de la URL HTTP es una dirección IPv6.\n\nResumen del impacto: Una lectura fuera de límites puede desencadenar un fallo que lleva a una denegación de servicio para una aplicación.\n\nLas funciones API del cliente HTTP de OpenSSL pueden ser utilizadas directamente por las aplicaciones, pero también son utilizadas por las funciones del cliente OCSP y la implementación del cliente CMP (Protocolo de Gestión de Certificados) en OpenSSL. Sin embargo, es poco probable que las URL utilizadas por estas implementaciones sean controladas por un atacante.\n\nEn este código vulnerable, la lectura fuera de límites solo puede desencadenar un fallo. Además, la vulnerabilidad requiere que una URL controlada por un atacante sea pasada de una aplicación a la función de OpenSSL y que el usuario tenga configurada una variable de entorno 'no_proxy'. Por las razones antes mencionadas, el problema fue evaluado como de baja severidad.\n\nEl código vulnerable fue introducido en las siguientes versiones de parche: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 y 3.5.0.\n\nLos módulos FIPS en 3.5, 3.4, 3.3, 3.2, 3.1 y 3.0 no se ven afectados por este problema, ya que la implementación del cliente HTTP está fuera del límite del módulo FIPS de OpenSSL."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":3.6}]},"weaknesses":[{"source":"openssl-security@openssl.org","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"references":[{"url":"https://github.com/openssl/openssl/commit/2b4ec20e47959170422922eaff25346d362dcb35","source":"openssl-security@openssl.org"},{"url":"https://github.com/openssl/openssl/commit/654dc11d23468a74fc8ea4672b702dd3feb7be4b","source":"openssl-security@openssl.org"},{"url":"https://github.com/openssl/openssl/commit/7cf21a30513c9e43c4bc3836c237cf086e194af3","source":"openssl-security@openssl.org"},{"url":"https://github.com/openssl/openssl/commit/89e790ac431125a4849992858490bed6b225eadf","source":"openssl-security@openssl.org"},{"url":"https://github.com/openssl/openssl/commit/bbf38c034cdabd0a13330abcc4855c866f53d2e0","source":"openssl-security@openssl.org"},{"url":"https://openssl-library.org/news/secadv/20250930.txt","source":"openssl-security@openssl.org"},{"url":"http://www.openwall.com/lists/oss-security/2025/09/30/5","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}