Home

Description

J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange. This issue affects Apache NimBLE: through <= 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue.

PUBLISHED Reserved 2025-06-16 | Published 2026-01-10 | Updated 2026-01-10 | Assigner apache

Problem types

CWE-5 J2EE Misconfiguration: Data Transmission Without Encryption

Product status

Default status
unaffected

Any version
affected

Credits

Henrik Schnor <henrik.schnor@mailbox.org> reporter

References

www.openwall.com/lists/oss-security/2026/01/08/1

github.com/...ommit/164f1c23c18a290908df76ed83fe848bfe4a4903 patch

github.com/...ommit/ec3d75e909fa6dcadf1836fefc4432794a673d18 patch

lists.apache.org/thread/ow8dzpsqfh9llfclh5fzh6z237brzc0s vendor-advisory

cve.org (CVE-2025-52435)

nvd.nist.gov (CVE-2025-52435)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.