#VU103686 Improper authentication in nginx and NGINX Plus - CVE-2025-23419
Vulnerability identifier: #VU103686
Vulnerability risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-287
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
nginx
Server applications /
Web servers
NGINX Plus
Server applications /
Web servers
Vendor: F5 Networks
Description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an TLS session resumption when handling client certificate authentication. A remote attacker can bypass authentication process and gain unauthorized access to the application.
Successful exploitation of the vulnerability requires that name-based virtual hosts are configured to share the same IP address and port combination and have TLS 1.3 and OpenSSL. This vulnerability arises when TLS session tickets are used and/or the SSL session cache is used in the default virtual server and the default virtual server is performing client certificate authentication.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
nginx: 1.11.4 - 1.11.13, 1.12.0 - 1.12.2, 1.13.0 - 1.13.12, 1.14.0 - 1.14.2, 1.15.0 - 1.15.12, 1.16.0 - 1.16.1, 1.17.0 - 1.17.10, 1.18.0, 1.19.0 - 1.19.10, 1.20.0 - 1.20.2, 1.21.0 - 1.21.6, 1.22.0 - 1.22.1, 1.23.0 - 1.23.4, 1.24.0, 1.25.0 - 1.25.5, 1.26.0 - 1.26.2, 1.27.0 - 1.27.3
NGINX Plus: R28, R29, R30 - R30 P2, R31 - R31 P3, R32, R33, R32 P1, R33 P1
External links
https://www.openwall.com/lists/oss-security/2025/02/05/8
https://my.f5.com/manage/s/article/K000149173
https://mailman.nginx.org/pipermail/nginx-announce/2025/NYEUJX7NCBCGJGXDFVXNMAAMJDFSE45G.html
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
