CVE-2025-9232

Issue summary: An application using the OpenSSL HTTP client API functions may<br /> trigger an out-of-bounds read if the &amp;#39;no_proxy&amp;#39; environment variable is set and<br /> the host portion of the authority component of the HTTP URL is an IPv6 address.<br /> <br /> Impact summary: An out-of-bounds read can trigger a crash which leads to<br /> Denial of Service for an application.<br /> <br /> The OpenSSL HTTP client API functions can be used directly by applications<br /> but they are also used by the OCSP client functions and CMP (Certificate<br /> Management Protocol) client implementation in OpenSSL. However the URLs used<br /> by these implementations are unlikely to be controlled by an attacker.<br /> <br /> In this vulnerable code the out of bounds read can only trigger a crash.<br /> Furthermore the vulnerability requires an attacker-controlled URL to be<br /> passed from an application to the OpenSSL function and the user has to have<br /> a &amp;#39;no_proxy&amp;#39; environment variable set. For the aforementioned reasons the<br /> issue was assessed as Low severity.<br /> <br /> The vulnerable code was introduced in the following patch releases:<br /> 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.<br /> <br /> The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this<br /> issue, as the HTTP client implementation is outside the OpenSSL FIPS module<br /> boundary.