CVE-2025-11935 Overview
CVE-2025-11935 is a cryptographic vulnerability in wolfSSL's TLS 1.3 implementation that affects the handling of pre-shared key (PSK) connections. When a malicious or faulty server responds to a ClientHello containing psk_dhe_ke without including a key_share extension, the client incorrectly continues the connection using PSK without Perfect Forward Secrecy (PFS). This behavior violates the client's explicit request for PFS protection and silently downgrades the connection security.
Critical Impact
Connections that clients expect to have Perfect Forward Secrecy protection are silently established without PFS, allowing potential decryption of captured traffic if the PSK is later compromised.
Affected Products
- wolfSSL wolfssl
- Apple macOS
- Linux linux_kernel
Discovery Timeline
- 2025-11-21 - CVE-2025-11935 published to NVD
- 2025-12-03 - Last updated in NVD database
Technical Details for CVE-2025-11935
Vulnerability Analysis
This vulnerability represents a failure in the TLS 1.3 handshake validation logic within wolfSSL. TLS 1.3 introduced the concept of PSK modes, where psk_dhe_ke indicates that the client requires Diffie-Hellman key exchange to be performed alongside PSK authentication to achieve Perfect Forward Secrecy. The vulnerability occurs when the server maliciously or incorrectly omits the key_share extension from its ServerHello response.
Under normal circumstances, when a client sends psk_dhe_ke in the psk_key_exchange_modes extension, the server must respond with a key_share extension containing its ephemeral Diffie-Hellman public key. If this extension is missing, the client should abort the handshake as the server cannot satisfy the PFS requirement. However, wolfSSL's implementation failed to enforce this validation, allowing the handshake to proceed without the cryptographic guarantees the client expected.
Root Cause
The root cause is inadequate validation in wolfSSL's TLS 1.3 client handshake processing. Specifically, when the client specifies psk_dhe_ke mode (indicating a requirement for PSK with Diffie-Hellman key exchange for forward secrecy), the code path does not properly verify that the server's response includes the mandatory key_share extension. This missing check allows the connection to complete with PSK-only authentication, effectively downgrading the security to a mode the client did not request.
Attack Vector
The attack requires a network position where an attacker can act as or control the TLS server. In a man-in-the-middle scenario or when connecting to a malicious server, the attacker intercepts or handles the TLS 1.3 handshake and deliberately omits the key_share extension from the ServerHello message, despite the client requesting psk_dhe_ke mode.
The client, due to the vulnerability in wolfSSL, accepts this malformed response and establishes a PSK-only connection. Without the Diffie-Hellman exchange, all session traffic can be decrypted if the pre-shared key is later compromised, as there is no ephemeral key material to protect past sessions.
Detection Methods for CVE-2025-11935
Indicators of Compromise
- TLS 1.3 connections established with PSK authentication where the handshake transcript shows psk_dhe_ke was offered but no key_share was received
- Anomalous TLS handshake patterns where ServerHello messages lack key_share extensions despite client PFS requirements
- Unexpected PSK-only session resumptions in environments configured to require forward secrecy
Detection Strategies
- Monitor TLS handshake traffic for ServerHello messages that respond to psk_dhe_ke mode without including a key_share extension
- Implement network security monitoring to flag TLS 1.3 sessions that complete without key exchange when PFS was requested
- Audit application logs for unexpected connection state warnings or PSK mode mismatches
Monitoring Recommendations
- Deploy TLS inspection at network boundaries to analyze handshake compliance with RFC 8446 requirements
- Enable verbose TLS debugging in wolfSSL-based applications to log key exchange mode negotiations
- Implement alerting for TLS sessions that establish without expected PFS characteristics
How to Mitigate CVE-2025-11935
Immediate Actions Required
- Update wolfSSL to a patched version that correctly validates server responses for PSK with DHE requirements
- Review and audit any applications using wolfSSL for TLS 1.3 PSK functionality
- Consider temporarily disabling PSK resumption if immediate patching is not possible
- Monitor network traffic for evidence of exploitation attempts against vulnerable endpoints
Patch Information
The vulnerability has been addressed in GitHub Pull Request #9112 in the wolfSSL repository. Organizations should update to the latest stable release of wolfSSL that incorporates this fix. Review the wolfSSL GitHub repository for the most current release information and security advisories.
Workarounds
- Disable TLS 1.3 PSK session resumption in wolfSSL-based applications until the patch can be applied
- Configure applications to use certificate-based authentication exclusively rather than PSK modes
- Implement network-level controls to validate TLS handshake compliance before allowing connections
- Consider deploying TLS-terminating proxies that enforce proper handshake validation
# Example: Disable PSK in wolfSSL configuration (consult documentation for your version)
# In wolfssl/wolfssl/options.h or build configuration:
# Undefine HAVE_SESSION_TICKET and NO_PSK to disable PSK support
# ./configure --disable-psk --disable-session-ticket
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
