Vulnerability-Lookup

GHSA-8MFP-XMV3-HV35

Vulnerability from github – Published: 2026-01-10 12:30 – Updated: 2026-01-10 12:30

Details

Authentication Bypass by Spoofing vulnerability in Apache NimBLE.

Receiving specially crafted Security Request could lead to removal of original bond and re-bond with impostor. This issue affects Apache NimBLE: through 1.8.0.

Users are recommended to upgrade to version 1.9.0, which fixes the issue.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-62235"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-10T10:15:50Z",
    "severity": null
  },
  "details": "Authentication Bypass by Spoofing vulnerability in Apache NimBLE.\n\nReceiving specially crafted Security Request could lead to removal of original bond\u00a0and re-bond with impostor.\nThis issue affects Apache NimBLE: through 1.8.0.\n\nUsers are recommended to upgrade to version 1.9.0, which fixes the issue.",
  "id": "GHSA-8mfp-xmv3-hv35",
  "modified": "2026-01-10T12:30:16Z",
  "published": "2026-01-10T12:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62235"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/mynewt-nimble/commit/41f67e391e788c5feef9030026cc5cbc5431838a"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/rw2mrpfwb9d9wmq4h4b6ctcd6gpkk2ho"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/01/08/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2025-62235 (GCVE-0-2025-62235)

Vulnerability from cvelistv5 – Published: 2026-01-10 09:42 – Updated: 2026-01-10 10:07

Title

Apache Mynewt NimBLE: Incorrect handling of SMP Security Request could lead to undesirable pairing

Summary

Authentication Bypass by Spoofing vulnerability in Apache NimBLE. Receiving specially crafted Security Request could lead to removal of original bond and re-bond with impostor. This issue affects Apache NimBLE: through 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue.

Severity ?

No CVSS data available.

CWE

CWE-290 - Authentication Bypass by Spoofing

Assigner

apache

References

URL

Tags

	https://github.com/apache/mynewt-nimble/commit/41…	patch
	https://lists.apache.org/thread/rw2mrpfwb9d9wmq4h…	vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Mynewt NimBLE	Affected: 0 , ≤ 1.8.0 (semver)

Credits

Tommaso Sacchetti <tommaso.sacchetti@gmail.com>

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-10T10:07:12.051Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/01/08/4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Mynewt NimBLE",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.8.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Tommaso Sacchetti \u003ctommaso.sacchetti@gmail.com\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAuthentication Bypass by Spoofing vulnerability in Apache NimBLE.\u003c/p\u003eReceiving specially crafted Security Request could lead to removal of original bond\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and re-bond with impostor.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Apache NimBLE: through 1.8.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.9.0, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Authentication Bypass by Spoofing vulnerability in Apache NimBLE.\n\nReceiving specially crafted Security Request could lead to removal of original bond\u00a0and re-bond with impostor.\nThis issue affects Apache NimBLE: through 1.8.0.\n\nUsers are recommended to upgrade to version 1.9.0, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290 Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-10T09:42:30.446Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/mynewt-nimble/commit/41f67e391e788c5feef9030026cc5cbc5431838a"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/rw2mrpfwb9d9wmq4h4b6ctcd6gpkk2ho"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Mynewt NimBLE: Incorrect handling of SMP Security Request could lead to undesirable pairing",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-62235",
    "datePublished": "2026-01-10T09:42:30.446Z",
    "dateReserved": "2025-10-09T15:28:28.169Z",
    "dateUpdated": "2026-01-10T10:07:12.051Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-8MFP-XMV3-HV35

CVE-2025-62235 (GCVE-0-2025-62235)

Tags

Sightings

Nomenclature