{"id":"CVE-2025-27809","details":"Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.","modified":"2026-05-28T03:53:04.889439732Z","published":"2025-03-25T00:00:00Z","related":["openSUSE-SU-2025:14928-1"],"database_specific":{"cwe_ids":["CWE-1188"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27809.json","cna_assigner":"mitre"},"references":[{"type":"WEB","url":"https://mastodon.social/@bagder/114219540623402700"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27809.json"},{"type":"ADVISORY","url":"https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27809"},{"type":"REPORT","url":"https://github.com/Mbed-TLS/mbedtls/issues/466"},{"type":"PACKAGE","url":"https://github.com/Mbed-TLS/mbedtls/releases"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mbed-tls/mbedtls","events":[{"introduced":"8df2f8e7b9c7bb9390ac74bb7bace27edca81a2b"},{"fixed":"22098d41c6620ce07cf8a0134d37302355e1e5ef"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-27809.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"}]}