View at Official debian advisory, NVD, CVE.org · CVE detail
Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.
CVE-2025-27809 not yet assigned priority: Debian including 1 source packages (mbedtls), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 3, open 2.
Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.