CVE-2025-23419

🗓️ 05 Feb 2025 17:31:07Reported by f5Type

cve🔗 web.nvd.nist.gov📰️ 3 Media mentions👁 1130 Views🌐 WEB

TLS session resumption vulnerability allows attackers to bypass client certificate authentication.

Reporter	Title	Published	Views	Family All 115
IBM Security Bulletins	Security Bulletin: Vulnerability in nginx affects IBM Netezza Appliance	24 Dec 202509:18	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities exists in IBM Netezza Performance Server Replication Services	27 Feb 202619:55	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerability in nginx affects IBM Robotic Process Automation for Cloud Pak	23 Mar 202613:58	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Visual Inspection component was using python,nginx and packages which were vulnerable to CVE-2025-4435, CVE-2025-23419, CVE-2025-4330, CVE-2025-4138, CVE-2025-47273	6 Feb 202606:19	–	ibm
FreeBSD	nginx-devel -- SSL session reuse vulnerability	5 Feb 202500:00	–	freebsd
Tenable Nessus	Amazon Linux 2023 : nginx, nginx-all-modules, nginx-core (ALAS2023-2025-842)	26 Feb 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2 : nginx (ALASNGINX1-2025-008)	28 Mar 202500:00	–	nessus
Tenable Nessus	Azure Linux 3.0 Security Update: nginx (CVE-2025-23419)	21 Feb 202500:00	–	nessus
Tenable Nessus	Debian dla-4091 : libnginx-mod-http-auth-pam - security update	25 Mar 202500:00	–	nessus
Tenable Nessus	Fedora 40 : nginx / nginx-mod-fancyindex / nginx-mod-modsecurity / etc (2025-016ed44ddc)	15 Feb 202500:00	–	nessus

NVD

Node

f5 nginxRange1.11.4–1.26.3

f5 nginxRange1.27.0–1.27.4

f5 nginx_plusRanger28–r32

f5 nginx_plusMatchr32-

f5 nginx_plusMatchr32p1

f5 nginx_plusMatchr33-

f5 nginx_plusMatchr33p1

Node

debian debian_linuxMatch11.0

[
  {
    "vendor": "F5",
    "product": "NGINX Open Source",
    "versions": [
      {
        "status": "affected",
        "version": "1.11.4",
        "lessThan": "*",
        "changes": [
          {
            "at": "1.27.4",
            "status": "unaffected"
          },
          {
            "at": "1.26.3",
            "status": "unaffected"
          }
        ],
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "F5",
    "product": "NGINX Plus",
    "versions": [
      {
        "status": "affected",
        "version": "R17",
        "lessThan": "*",
        "changes": [
          {
            "at": "R32 P2",
            "status": "unaffected"
          },
          {
            "at": "R33 P2",
            "status": "unaffected"
          }
        ],
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
my	www.my.f5.com/manage/s/article/K000149173
openwall	www.openwall.com/lists/oss-security/2025/02/05/8
lists	www.lists.debian.org/debian-lts-announce/2025/03/msg00017.html

Parameter	Position	Path	Description	CWE
ssl_session_ticket_key	path	/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key	TLS session resumption can bypass client certificate authentication when multiple server blocks share IP/port and the default server uses client cert auth (via TLS Session Tickets/SSL session cache).	CWE-863
ssl_session_cache	path	/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key	TLS session resumption can bypass client certificate authentication when multiple server blocks share IP/port and the default server uses client cert auth (via TLS Session Tickets/SSL session cache).	CWE-863
ssl_session_ticket_key	path	/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache	TLS session resumption can bypass client certificate authentication when multiple server blocks share IP/port and the default server uses client cert auth (via TLS Session Tickets/SSL session cache).	CWE-863
ssl_session_cache	path	/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache	TLS session resumption can bypass client certificate authentication when multiple server blocks share IP/port and the default server uses client cert auth (via TLS Session Tickets/SSL session cache).	CWE-863

17 Jun 2026 08:54Current

4.8Medium risk

Vulners AI Score4.8

CVSS 3.14.3

CVSS 45.3

EPSS0.02557

SSVC

CWE-863