CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-23419: TLS Session Resumption Vulnerability

4.3 CVSS

Description

When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Classification

CVE ID: CVE-2025-23419

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected Products

Vendor: F5

Product: NGINX Open Source

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.85% (scored less or equal to compared to others)

EPSS Date: 2025-03-06 (when was this score calculated)

References

https://my.f5.com/manage/s/article/K000149173

Timeline

2025-02-06 00:30:15 UTC
CVE

TLS Session Resumption Vulnerability
2025-02-15 10:45:25 UTC
Tenable Plugins

Fedora 40 : nginx / nginx-mod-fancyindex / nginx-mod-modsecurity / etc (2025-016ed44ddc)
2025-02-15 10:45:25 UTC
Tenable Plugins

Fedora 41 : nginx / nginx-mod-fancyindex / nginx-mod-modsecurity / etc (2025-66ebd291f8)
2025-02-21 09:46:08 UTC
Tenable Plugins

Azure Linux 3.0 Security Update: nginx (CVE-2025-23419)
2025-02-26 10:46:31 UTC
Tenable Plugins

Amazon Linux 2023 : nginx, nginx-all-modules, nginx-core (ALAS2023-2025-842)
2025-03-06 09:45:34 UTC
Tenable Plugins

Linux Distros Unpatched Vulnerability : CVE-2025-23419