The vulnerability arises when the WOLFSSL_IP_ALT_NAME macro is undefined, causing the wolfSSL library to ignore IP address name constraints during certificate validation. As a result, a certificate that would normally be rejected by a CA’s IP address constraint can be accepted, potentially enabling an attacker to present a forged or compromised certificate to an application or service that relies on wolfSSL for TLS. This flaw could facilitate man‑in‑the‑middle attacks, spoofing of service endpoints, or unauthorized access to encrypted communications. The weakness is identified as CWE‑295. The CVSS score of 5.7 indicates moderate severity.

wolfSSL, the open‑source TLS/SSL library. The flaw manifests in any build of wolfSSL where the configuration variable WOLFSSL_IP_ALT_NAME is not defined. The specific affected versions are not listed in the vulnerability information provided, so all releases of wolfSSL that compile without this macro enabled may be vulnerable.

The CVSS score of 5.7 reflects a moderate risk, and no EPSS score is available, indicating that the exploitation probability has not been quantified. The vulnerability is not listed in the CISA KEV catalog, so no known large‑scale exploit activity is documented. The likely attack vector is that an attacker can supply a certificate chain that includes a CA with restrictive IP address constraints; because the library bypasses those constraints when WOLFSSL_IP_ALT_NAME is undefined, the chain can be accepted. The conditions for exploitation require the target application to be built with the default configuration lacking this macro and to rely solely on wolfSSL for certificate validation. If these prerequisites exist, an attacker could potentially bypass access controls or intercept sensitive data.