CVE-2025-43918 PUBLISHED

Assigner: mitre
Reserved: 19.04.2025 Published: 19.04.2025 Updated: 19.04.2025

SSL.com before 2025-04-19, when domain validation method 3.2.2.4.14 is used, processes certificate requests such that a trusted TLS certificate may be issued for the domain name of a requester's email address, even when the requester does not otherwise establish administrative control of that domain.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVSS Score: 6.4

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	SSL.com
Product	SSL.com
Versions	Default: unaffected affected from 0 to 2025-04-19 (excl.)

References

https://news.ycombinator.com/item?id=43738485
https://bugzilla.mozilla.org/show_bug.cgi?id=1961406

Problem Types

CWE-348 Use of Less Trusted Source CWE