CVE-2025-9232: 
OpenSSL vulnerability analysis and mitigation

CVE-2025-9232 is a low severity vulnerability discovered in OpenSSL's HTTP client API functions, disclosed on September 30, 2025. The vulnerability affects OpenSSL versions 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0, and 3.5.0, where an out-of-bounds read can occur when the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address (OpenSSL Advisory).

The vulnerability stems from a missing terminating NUL byte after a strncpy() call in the HTTP client implementation. The issue was identified in the useproxy() function within the crypto/http/httplib.c file. The vulnerability is tracked as CWE-125 (Out-of-bounds Read) and has been assigned a CVSS 3.1 Base Score of 5.9 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can trigger a crash leading to a Denial of Service (DoS) for an application. While the OpenSSL HTTP client API functions can be used directly by applications and are also used by the OCSP client functions and CMP client implementation, the URLs used by these implementations are unlikely to be controlled by an attacker. The impact is considered low severity due to specific conditions required for exploitation (OpenSSL Advisory).

OpenSSL has released patches for affected versions. Users should upgrade to the following versions: OpenSSL 3.5.4 (for 3.5 users), OpenSSL 3.4.3 (for 3.4 users), OpenSSL 3.3.5 (for 3.3 users), OpenSSL 3.2.6 (for 3.2 users), and OpenSSL 3.0.18 (for 3.0 users). OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue (OpenSSL Advisory).