[nginx-announce] nginx security advisory (CVE-2025-23419)
F5SIRT
f5sirt at F5.com
Wed Feb 5 17:23:12 UTC 2025
A problem with SSL session resumption in nginx was identified.
It was possible to reuse SSL sessions in named-based
virtual hosts in unrelated contexts, allowing to bypass client
certificate authentication in some configurations (CVE-2025-23419).
The problem affects nginx 1.11.4 and newer built with OpenSSL if the
TLSv1.3 protocol and session resumption are enabled either with
ssl_session_cache or ssl_session_tickets.
The problem is fixed in 1.26.3 and 1.27.4.
More information about the nginx-announce
mailing list