Out-of-bounds read in HTTP client no_proxy handling

Summary

CVE	CVE-2025-9232
State	PUBLISHED
Assigner	openssl
Source Priority	CVE Program / NVD first with legacy fallback
Published	2025-09-30 14:15:41 UTC
Updated	2026-05-12 13:17:30 UTC
Description	Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.

Risk And Classification

Primary CVSS: v3.1 5.9 MEDIUM from ADP

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS: 0.000390000 probability, percentile 0.117310000 (date 2026-05-12)

Problem Types: CWE-125 | CWE-125 CWE-125 Out-of-bounds Read

Version	Source	Type	Score	Severity	Vector
3.1	ADP	DECLARED	5.9	MEDIUM	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H`
3.1	134c704f-9b21-4f2e-91b3-4a467353bcc0	Secondary	5.9	MEDIUM	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H`

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	OpenSSL	OpenSSL	affected 3.5.0 3.5.4 semver	Not specified
CNA	OpenSSL	OpenSSL	affected 3.4.0 3.4.3 semver	Not specified
CNA	OpenSSL	OpenSSL	affected 3.3.3 3.3.5 semver	Not specified
CNA	OpenSSL	OpenSSL	affected 3.2.4 3.2.6 semver	Not specified
CNA	OpenSSL	OpenSSL	affected 3.0.16 3.0.18 semver	Not specified
ADP	Siemens	RUGGEDCOM RST2428P	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 Family	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XCH328	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XCM324	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XCM328	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XCM332	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRH334 24 V DC 8xFO CC	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 230 V AC 12xFO	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 230 V AC 8xFO	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 230V AC 2x10G 24xSFP 8xSFP	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 24 V DC 12xFO	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 24 V DC 8xFO	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 24V DC 2x10G 24xSFP 8xSFP	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 2x230 V AC 12xFO	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 2x230 V AC 8xFO	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 2x230V AC 2x10G 24xSFP 8xSFP	affected V3.3 custom	Not specified
ADP	Siemens	SIDIS Prime	affected V4.0.800 custom	Not specified
ADP	Siemens	SIMATIC CN 4100	affected V5.0 custom	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	affected V3.1.5 * custom	Not specified

References

Reference	Source	Link	Tags
cert-portal.siemens.com/productcert/html/ssa-089022.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
cert-portal.siemens.com/productcert/html/ssa-082556.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
github.com/openssl/openssl/commit/7cf21a30513c9e43c4bc3836c237cf086e194af3	[email protected]	github.com
openssl-library.org/news/secadv/20250930.txt	[email protected]	openssl-library.org
www.openwall.com/lists/oss-security/2025/09/30/5	af854a3a-2127-422b-91ae-364da2661108	www.openwall.com
cert-portal.siemens.com/productcert/html/ssa-032379.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
github.com/openssl/openssl/commit/bbf38c034cdabd0a13330abcc4855c866f53d2e0	[email protected]	github.com
github.com/openssl/openssl/commit/654dc11d23468a74fc8ea4672b702dd3feb7be4b	[email protected]	github.com
github.com/openssl/openssl/commit/2b4ec20e47959170422922eaff25346d362dcb35	[email protected]	github.com
cert-portal.siemens.com/productcert/html/ssa-485750.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
github.com/openssl/openssl/commit/89e790ac431125a4849992858490bed6b225eadf	[email protected]	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Stanislav Fort (Aisle Research) (en)

There are currently no legacy QID mappings associated with this CVE.