nginx Vulnerability CVE-2025-23419
search cancel

nginx Vulnerability CVE-2025-23419

book

Article ID: 395339

calendar_today

Updated On: 04-24-2025

Products

VMware Telco Cloud Automation

Issue/Introduction

A security scan with Qualys Tool discovered CVE-2025-23419 in Airgap Server.

Qualys Sample Output Report

Nginx Certificate Authentication Bypass Vulnerability (CVE-2025-23419)
nginx [engine x] is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server. A problem with SSL session resumption in nginx was identified.
Affected Versions:
Nginx version from 1.11.4 prior to 1.26.3
Nginx version from 1.27.0 prior to 1.27.4
QID Detection Logic (Unauthenticated):
This QID performs an unauthenticated check for vulnerable versions of Nginx by grabbing the version number from the server banner of the HTTP response after sending HTTP GET method for status code 2xx-5xx.

 

Environment

Telco Cloud Platform Version 5.0

Airgap Server SW Version 3.2

nginx SW Version nginx-1.26.2-1.ph4.x86_64

VMware Photon OS 4.0

Resolution

This vulnerability, CVE-2025-23419, applies to nginx versions 1.11.4 through 1.27.3 when configured to use TLSv1.3 with session resumption enabled through ssl_session_cache or ssl_session_tickets.

Although the Airgap Server (version 3.2.0.1) utilizes nginx 1.26.2, its default configuration enforces the use of TLSv1.2 rather than the affected TLSv1.3. As a result, Airgap Server SW Version 3.2 is not impacted by CVE-2025-23419, and no remediation is required at this time.

You may verify the TLS version configured on the Airgap Server using the following commands:

grep -i tls /etc/nginx/nginx.conf

Expected Output should be 

 ssl_protocols TLSv1.2;

Additional Information