NIXPKGS-2025-0012

published on 13 Dec 2025

Permalink CVE-2025-11935

updated 1 month, 4 weeks ago by @LeSuisse Activity log

Created automatic suggestion 2 months, 3 weeks ago
@LeSuisse accepted 1 month, 4 weeks ago
@LeSuisse published on GitHub 1 month, 4 weeks ago

Forward Secrecy Violation in WolfSSL TLS 1.3

With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection.

Affected products

wolfssl

<5.8.4
==v5.8.2

Matching in nixpkgs

pkgs.wolfssl

Small, fast, portable implementation of TLS/SSL for embedded devices

nixos-unstable 5.8.2
- nixpkgs-unstable 5.8.2
- nixos-unstable-small 5.8.2
nixos-25.05 5.8.2
- nixos-25.05-small 5.8.2
- nixpkgs-25.05-darwin 5.8.2

Package maintainers

@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@vifino Adrian Pistol <vifino@tty.sh>

Nixpkgs Security Tracker

Details of issue NIXPKGS-2025-0012

Affected products

Matching in nixpkgs

pkgs.wolfssl

Package maintainers