CVE-2024-55581: 
Linux Debian vulnerability analysis and mitigation

When AdaCore Ada Web Server (AWS) 25.0.0 is linked with GnuTLS, the default behaviour of AWS.Client is vulnerable to a man-in-the-middle attack because of lack of verification of an HTTPS server's certificate, unless the using program specifies a TLS configuration. The vulnerability was disclosed in February 2025 and assigned identifier CVE-2024-55581 (NVD, MITRE).

The vulnerability is classified as CWE-295 (Improper Certificate Validation). The CVSS 3.1 base score is 7.4 (HIGH) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating that the vulnerability can be exploited remotely without requiring privileges or user interaction, though with high attack complexity (NVD).

The vulnerability allows attackers to perform man-in-the-middle attacks due to the lack of proper HTTPS server certificate verification. This could lead to interception and potential manipulation of sensitive data transmitted between the client and server (NVD).

The issue has been addressed in Debian 11 (bullseye) with version 20.2-2+deb11u1 of the libaws package. Users should update to this version or later. For programs using AWS.Client, it is recommended to explicitly specify a TLS configuration to ensure proper certificate validation (Debian Advisory).