Bug 2396056 (CVE-2025-9232)

Summary: CVE-2025-9232 openssl: Out-of-bounds read in HTTP client no_proxy handling
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: anthomas, bkabrda, brasmith, bsmejkal, cochase, crizzo, csutherl, dbosanac, dranck, ehelms, ggainey, gotiwari, gtanzill, jachapma, jbuscemi, jcantril, jclere, jgrulich, jhorak, jmitchel, jreimann, juwatts, jvasik, jwendell, kaycoth, kshier, lball, mdessi, mhulan, mrizzi, mvyas, ngough, nicolas.koechling, nmoumoul, osousa, pcattana, pcreech, pjindal, plodge, progier, rblanco, rcernich, rchan, rojacob, sdawley, security-response-team, smallamp, spichugi, ssidhaye, stcannon, szappis, tbordaz, teagle, tmalecek, tpopela, vashirov, vchlup, veshanka, vmugicag, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the OpenSSL HTTP client API no_proxy handling. This vulnerability allows an application level denial of service (application crash) via an attacker-controlled IPv6 URL when the no_proxy environment variable is set.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2400667, 2400671, 2400669, 2400673, 2400675, 2400677, 2400679, 2400681, 2400683, 2400684, 2400685    
Bug Blocks:    
Deadline: 2025-09-30   

Description OSIDB Bzimport 2025-09-17 12:22:45 UTC
Issue summary: An application using the OpenSSL HTTP client API functions may
trigger an out-of-bounds read if the "no_proxy" environment variable is set and
the host portion of the authority component of the HTTP URL is an IPv6 address.

Impact summary: An out-of-bounds read can trigger a crash which leads to
Denial of Service for an application.

The OpenSSL HTTP client API functions can be used directly by applications
but they are also used by the OCSP client functions and CMP (Certificate
Management Protocol) client implementation in OpenSSL. However the URLs used
by these implementations are unlikely to be controlled by an attacker.

In this vulnerable code the out of bounds read can only trigger a crash.
Furthermore the vulnerability requires an attacker-controlled URL to be
passed from an application to the OpenSSL function and the user has to have
a "no_proxy" environment variable set. For the aforementioned reasons the
issue was assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this
issue, as the HTTP client implementation is outside the OpenSSL FIPS module
boundary.

OpenSSL 3.5, 3.4, 3.3, 3.2 and 3.0 are vulnerable to this issue.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.