CVE-2025-11934 LOW

CVE-2025-11934: Improper Validation of Signature Algorithm Used in TLS 1.3 CertificateVerify

Vendor Wolfssl
Product wolfSSL
Weakness CWE-20 · Input validation
Published November 21, 2025
Last update December 8, 2025

CVSS base score

2.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

What the vulnerability does

01Description

Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256.

Key dates

02Disclosure timeline

November 21, 2025 CVE published
December 8, 2025 Record updated