Vulnerability DatabaseCVE-2025-9230
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-9230
September 30, 2025
Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.
Affected Packages
openssl (CONAN):
Affected version(s) >=3.4.0 <3.4.3
Fix Suggestion:
Update to version 3.4.3
openssl (CONAN):
Affected version(s) >=3.3.1 <3.3.5
Fix Suggestion:
Update to version 3.3.5
openssl (CONAN):
Affected version(s) >=3.5.0 <3.5.4
Fix Suggestion:
Update to version 3.5.4
openssl (CONAN):
Affected version(s) >=3.0.5 <3.0.18
Fix Suggestion:
Update to version 3.0.18
openssl (CONAN):
Affected version(s) >=3.2.0 <3.2.6
Fix Suggestion:
Update to version 3.2.6
https://github.com/openssl/openssl.git (GITHUB):
Affected version(s) >=openssl-3.5.0 <openssl-3.5.4
Fix Suggestion:
Update to version openssl-3.5.4
https://github.com/openssl/openssl.git (GITHUB):
Affected version(s) >=openssl-3.4.0 <openssl-3.4.3
Fix Suggestion:
Update to version openssl-3.4.3
https://github.com/openssl/openssl.git (GITHUB):
Affected version(s) >=openssl-3.2.0 <openssl-3.2.6
Fix Suggestion:
Update to version openssl-3.2.6
https://github.com/openssl/openssl.git (GITHUB):
Affected version(s) >=openssl-3.3.0 <openssl-3.3.5
Fix Suggestion:
Update to version openssl-3.3.5
https://github.com/openssl/openssl.git (GITHUB):
Affected version(s) >=openssl-3.0.0 <openssl-3.0.18
Fix Suggestion:
Update to version openssl-3.0.18
Related ResourcesĀ (10)
http://www.openwall.com/lists/oss-security/2025/09/30/5
https://github.com/openssl/openssl/commit/9e91358f365dee6c446dcdcdb01c04d2743fd280
https://github.openssl.org/openssl/extended-releases/commit/c2b96348bfa662f25f4fabf81958ae822063dae3
https://github.com/openssl/openssl/commit/5965ea5dd6960f36d8b7f74f8eac67a8eb8f2b45
https://github.com/openssl/openssl/commit/b5282d677551afda7d20e9c00e09561b547b2dfd
https://lists.debian.org/debian-lts-announce/2025/10/msg00001.html
https://openssl-library.org/news/secadv/20250930.txt
https://github.openssl.org/openssl/extended-releases/commit/dfbaf161d8dafc1132dd88cd48ad990ed9b4c8ba
https://github.com/openssl/openssl/commit/bae259a211ada6315dc50900686daaaaaa55f482
https://github.com/openssl/openssl/commit/a79c4ce559c6a3a8fd4109e9f33c1185d5bf2def
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Out-of-bounds Write
CWE-787
Out-of-bounds Read
CWE-125
EPSS
Base Score:
0.03