CVE-2025-59154: Openfire has potential identity spoofing issue via unsafe CN parsing
Identity spoofing in X.509 client certificate authentication in Openfire allows internal attackers to impersonate other users via crafted certificate subject attributes, due to regex-based extraction of CN from an unescaped, provider-dependent DN string.
References
- github.com/advisories/GHSA-w252-645g-87mp
- github.com/igniterealtime/Openfire
- github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java
- github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp
- igniterealtime.atlassian.net/browse/OF-3122
- igniterealtime.atlassian.net/browse/OF-3123
- igniterealtime.atlassian.net/browse/OF-3124
- nvd.nist.gov/vuln/detail/CVE-2025-59154
Code Behaviors & Features
Detect and mitigate CVE-2025-59154 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →