Improper Validation of Signature Algorithm Used in TLS 1.3 CertificateVerify

2.1 / 10

LOW

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Description

Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256.

Basic Information

ID CVE-2025-11934

Source wolfSSL

Published Nov 21, 2025 at 22:12

Affected Product

Vendor wolfSSL

Product wolfSSL

Version v5.8.2

Affected Versions wolfSSL wolfSSL v5.8.2

CWE Classification

CWE-20

References

{
    "lastseen": "",
    "description": "Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256.",
    "published": "2025-11-21T22:12:37.868Z",
    "modified": "2025-11-21T22:12:37.868Z",
    "type": "cve",
    "title": "Improper Validation of Signature Algorithm Used in TLS 1.3 CertificateVerify",
    "source": "wolfSSL",
    "references": "https://github.com/wolfSSL/wolfssl\nhttps://github.com/wolfSSL/wolfssl/pull/9113",
    "id": "CVE-2025-11934",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "wolfSSL wolfSSL v5.8.2",
    "sourceHref": "",
    "cvss": {
        "score": 2.1,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "wolfSSL",
    "version": "v5.8.2",
    "vendor": "wolfSSL",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Improper Validation of Signature Algorithm Used in TLS 1.3 CertificateVerify_CVE-2025-11934