CVE-2025-66199 Overview
CVE-2025-66199 is a resource exhaustion vulnerability in OpenSSL's TLS 1.3 certificate compression implementation. When certificate compression is enabled, a TLS 1.3 connection can be forced to allocate a large buffer (up to approximately 22 MiB) before decompression without checking against the configured certificate size limit. This vulnerability allows an attacker to cause significant per-connection memory allocations and extra CPU work, potentially leading to service degradation or Denial of Service (DoS).
Critical Impact
Attackers can exploit this flaw to cause large per-connection memory allocations (up to ~22 MiB each) followed by handshake failure, potentially exhausting server resources and causing denial of service conditions without authentication.
Affected Products
- OpenSSL 3.6
- OpenSSL 3.5
- OpenSSL 3.4
- OpenSSL 3.3
Discovery Timeline
- January 27, 2026 - CVE-2025-66199 published to NVD
- January 29, 2026 - Last updated in NVD database
Technical Details for CVE-2025-66199
Vulnerability Analysis
This vulnerability affects OpenSSL's handling of TLS 1.3 CompressedCertificate messages. When processing compressed certificates, the peer-supplied uncompressed certificate length from a CompressedCertificate message is used to grow a heap buffer prior to decompression. Critically, this length is not bounded by the max_cert_list setting, which normally constrains certificate message sizes.
The vulnerability manifests in builds where TLS 1.3 certificate compression is compiled in (i.e., without OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated during the TLS handshake. Both clients receiving a server CompressedCertificate and servers in mutual TLS (mTLS) scenarios receiving a client CompressedCertificate are affected. Importantly, servers that do not request client certificates are not vulnerable to client-initiated attacks.
The FIPS modules in OpenSSL 3.6, 3.5, 3.4, and 3.3 are not affected by this issue, as the TLS implementation is outside the OpenSSL FIPS module boundary. Additionally, OpenSSL 3.0, 1.1.1, and 1.0.2 are not affected.
Root Cause
The root cause is classified as CWE-789 (Memory Allocation with Excessive Size Value). The vulnerability stems from improper validation of the uncompressed certificate length field in CompressedCertificate messages. The code path responsible for buffer allocation uses the peer-provided length value without checking it against the max_cert_list configuration limit, allowing attackers to specify arbitrarily large buffer sizes.
Attack Vector
The attack is conducted over the network during TLS 1.3 handshake negotiation. An attacker can send a malicious CompressedCertificate message with an inflated uncompressed length field, causing the target to allocate excessive memory. The attack requires:
- A TLS 1.3 connection where certificate compression is negotiated
- At least one compression algorithm (brotli, zlib, or zstd) enabled on the target
- For client attacks: A malicious server sending a crafted CompressedCertificate
- For server attacks: Mutual TLS configuration where the server requests client certificates
The attack does not result in memory corruption or information disclosure—only resource exhaustion through excessive allocations followed by handshake failure.
Detection Methods for CVE-2025-66199
Indicators of Compromise
- Unusual spikes in memory consumption on systems running vulnerable OpenSSL versions during TLS handshakes
- High frequency of TLS 1.3 handshake failures following large memory allocations
- Abnormal memory allocation patterns in processes handling TLS connections
- System logs indicating memory pressure or out-of-memory conditions correlated with TLS activity
Detection Strategies
- Monitor memory usage patterns on TLS-terminating services for sudden per-connection spikes approaching 22 MiB
- Implement alerting on TLS handshake failure rates exceeding normal baselines
- Deploy network monitoring to detect anomalous CompressedCertificate message patterns in TLS 1.3 traffic
- Use endpoint detection tools to identify processes experiencing unusual memory allocation behavior during certificate processing
Monitoring Recommendations
- Enable detailed logging for TLS handshake events and failures on affected systems
- Configure memory threshold alerts on systems using OpenSSL 3.3 through 3.6 for TLS termination
- Track the ratio of successful to failed TLS 1.3 handshakes as a potential attack indicator
- Review system resource utilization dashboards for correlation between TLS traffic and memory consumption
How to Mitigate CVE-2025-66199
Immediate Actions Required
- Identify all systems running OpenSSL versions 3.3, 3.4, 3.5, or 3.6 with TLS 1.3 certificate compression enabled
- Apply the security patches from OpenSSL immediately to affected systems
- If patching is not immediately possible, disable receiving compressed certificates using the SSL_OP_NO_RX_CERTIFICATE_COMPRESSION option
- Review mTLS configurations and consider temporarily disabling client certificate requests on vulnerable servers if client authentication is not critical
Patch Information
OpenSSL has released patches addressing this vulnerability. The fixes are available in the following commits:
For complete advisory details, refer to the OpenSSL Security Advisory.
Workarounds
- Set SSL_OP_NO_RX_CERTIFICATE_COMPRESSION option to disable receiving compressed certificates until patches can be applied
- If mutual TLS is not required, configure servers to not request client certificates to prevent client-initiated attacks
- Rebuild OpenSSL with OPENSSL_NO_COMP_ALG to completely disable certificate compression support
- Implement rate limiting and connection throttling on TLS-terminating services to reduce the impact of exploitation attempts
# Configuration example - Disable receiving compressed certificates in OpenSSL
# Add to your SSL/TLS configuration code:
# SSL_CTX_set_options(ctx, SSL_OP_NO_RX_CERTIFICATE_COMPRESSION);
# For nginx with OpenSSL, ensure you're using patched OpenSSL versions
# Check OpenSSL version:
openssl version
# Verify if certificate compression is compiled in:
openssl list -disabled | grep comp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
