CVE-2025-49087 in TLSinfo

Summary

by MITRE • 07/20/2025

In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS#7 padding mode is used.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/12/2026

The vulnerability identified as CVE-2025-49087 affects Mbed TLS versions 3.6.1 through 3.6.3, representing a critical timing side-channel weakness in the cryptographic library's block cipher implementation. This flaw specifically manifests during the padding removal process when PKCS#7 padding mode is employed, creating a predictable timing difference that can be exploited by malicious actors to gradually reconstruct sensitive plaintext data. The issue stems from the library's inconsistent handling of padding validation timing across different scenarios, where the time taken to process valid versus invalid padding differs significantly enough to provide exploitable information to an attacker.

The technical implementation flaw involves the cryptographic library's failure to maintain constant-time execution during padding verification operations. When processing encrypted data with PKCS#7 padding, the system performs different timing operations depending on whether the padding is valid or invalid, creating a timing oracle that adversaries can leverage. This timing discrepancy occurs because the library's padding removal function does not execute in constant time regardless of the padding validity, violating fundamental cryptographic security principles. The vulnerability is classified under CWE-203, which specifically addresses "Observable Timing Discrepancy," and aligns with ATT&CK technique T1059.001 for command and scripting interpreter usage in exploitation contexts.

The operational impact of this vulnerability extends beyond simple data confidentiality breaches, as it enables attackers to perform progressive plaintext recovery attacks against encrypted communications. An attacker with network access or the ability to observe timing differences can repeatedly send crafted requests and measure response times to gradually deduce the original plaintext content. This vulnerability affects any application or system that relies on Mbed TLS for secure communications using block ciphers with PKCS#7 padding, including web servers, network appliances, IoT devices, and embedded systems. The risk is particularly severe for applications handling sensitive data such as personal information, financial records, or proprietary communications where even partial plaintext recovery could lead to significant compromise.

Organizations utilizing affected Mbed TLS versions should immediately upgrade to version 3.6.4 or later, which implements proper constant-time padding validation mechanisms. Additionally, system administrators should consider implementing monitoring solutions to detect unusual timing patterns that might indicate exploitation attempts. The fix addresses the core timing discrepancy by ensuring that all padding validation operations take identical amounts of time regardless of input validity, thereby eliminating the timing oracle that enabled the attack. Security teams should also review their cryptographic implementations to ensure no other similar timing vulnerabilities exist within their infrastructure, particularly in custom cryptographic modules or applications that interact with vulnerable libraries.

Responsible

MITRE

Reservation

05/30/2025

Disclosure

07/20/2025

Moderation

accepted

CPE

ready

EPSS

0.00395

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!