Overview
CVE-2025-11935 describes a potential vulnerability related to the implementation of TLS 1.3 pre-shared keys (PSK) that could lead to a bypass of Perfect Forward Secrecy (PFS). Specifically, a malicious or faulty server could potentially ignore a client’s request for PFS when using PSK, and the client would continue the connection without PFS. This happens if the server responds to a ClientHello containing `psk_dhe_ke` without a `key_share` extension.
Reusing an authenticated PSK connection without the expected PFS on the client side weakens the overall security of the connection, as past session keys could be compromised if the PSK is later revealed.
Technical Details
The vulnerability arises from the interaction between the `psk_dhe_ke` key exchange method and the `key_share` extension in TLS 1.3. When a client offers `psk_dhe_ke`, it expects the server to negotiate a Diffie-Hellman exchange for PFS. This negotiation is typically signaled through the presence of a `key_share` extension in the ServerHello message.
If a server, either maliciously or due to a bug, responds to a ClientHello containing `psk_dhe_ke` *without* sending a `key_share` extension in its ServerHello, a vulnerable client might incorrectly proceed with the PSK-based connection without PFS. This deviates from the intended behavior where PFS is negotiated using the Diffie-Hellman key exchange.
CVSS Analysis
Currently, a CVSS score has not been assigned to CVE-2025-11935 (N/A). The severity is also listed as N/A. This is likely because the vulnerability’s exploitability and impact are still under investigation and depend heavily on the specific TLS 1.3 implementation. The potential impact, however, is significant as it could compromise the intended security guarantees of TLS 1.3.
Possible Impact
The lack of PFS in a TLS connection established via PSK can have the following implications:
- Compromised Session Keys: If the PSK is ever compromised (e.g., through a key leak or brute-force attack), all past sessions using that PSK without PFS become vulnerable to decryption.
- Reduced Confidentiality: The absence of PFS weakens the confidentiality of the communication, making it more susceptible to eavesdropping if the PSK is compromised.
- Compliance Issues: Organizations relying on TLS 1.3 with PFS for compliance purposes may find themselves in violation of security standards if this vulnerability is exploited.
Mitigation or Patch Steps
The primary mitigation strategy is to update TLS 1.3 libraries and applications to versions that address this vulnerability. Here are the recommended steps:
- Update wolfSSL: If you are using wolfSSL, update to the latest version or a patched version as indicated by the wolfSSL pull request #9112.
- Verify TLS Library Behavior: Ensure that your TLS 1.3 library correctly handles the case where a server responds to a ClientHello containing `psk_dhe_ke` without a `key_share` extension. The client should either abort the connection or properly negotiate a key exchange that provides PFS.
- Monitor TLS Handshakes: Implement monitoring mechanisms to detect unusual TLS handshakes that might indicate an attempt to exploit this vulnerability.
