A certificate verification error in wolfSSL when building with the WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION options results in the wolfSSL
client failing to properly verify the server certificate's domain name,
allowing any certificate issued by a trusted CA to be accepted regardless of the hostname.
Fixes

Solution

Upgrade to wolfSSL commit fbc483e23a3e42d5430a838230db1f8c90b88d41 or newer


Workaround

Manually load CA certificates into wolfSSL instead of relying on apple native certificate verification, or upgrade to wolfSSL commit fbc483e23a3e42d5430a838230db1f8c90b88d41 or newer

References
History

Mon, 21 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 18 Jul 2025 22:30:00 +0000

Type Values Removed Values Added
Description A certificate verification error in wolfSSL when building with the WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION options results in the wolfSSL client failing to properly verify the server certificate's domain name, allowing any certificate issued by a trusted CA to be accepted regardless of the hostname.
Title Domain Name Validation Bypass with Apple Native Certificate Validation
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/AU:Y/V:D/U:Red'}


cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2025-07-21T14:56:52.762Z

Reserved: 2025-07-09T16:38:39.054Z

Link: CVE-2025-7395

cve-icon Vulnrichment

Updated: 2025-07-21T14:56:45.588Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-07-18T23:15:23.657

Modified: 2025-07-22T13:06:07.260

Link: CVE-2025-7395

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-21T15:17:07Z