The vulnerability (CVE-2025-49015) in the Couchbase .NET SDK prior to version 3.7.1 concerns the improper enabling of hostname verification for TLS certificates. This was also compounded by the SDK potentially using IP addresses instead of hostnames due to a misconfigured default option (ForceIpAsTargetHost), which can render hostname validation ineffective.
The analysis of the provided patch (commit 04d1679b2178f922036be6e595b3d91f972c5ba3) reveals the core issues:
-
Existence of an overly permissive validator: The function Couchbase.Core.IO.Authentication.X509.CertificateFactory.ValidatorWithIgnoreNameMismatch was designed to bypass hostname mismatch errors. This function was called within the certificate validation logic in Couchbase.Core.IO.Connections.ConnectionFactory.CreateAndConnectAsync (for KV connections) and Couchbase.Core.IO.HTTP.CouchbaseHttpClientFactory.CreateClientHandler (for HTTP connections), especially when an option to ignore mismatches was set. The vulnerability description suggests these options might have been incorrectly applied or defaulted.
-
Flawed error clearing: The utility function Couchbase.Core.IO.Authentication.X509.CertificateFactory.WithoutNameMismatch, used by the aforementioned validator, previously cleared not only RemoteCertificateNameMismatch errors but also RemoteCertificateChainErrors. This could hide other significant certificate issues when a hostname mismatch was being (intentionally or unintentionally) ignored.
-
Incorrect validation flow: The commit message indicates a critical flaw: "Validation was passing when certificate name validation failed. If the built-in certificate validation failed, validation is then attempted by the couchbase callback which does not validate the certificate name." This implies that the SDK's custom callback logic, which involved ValidatorWithIgnoreNameMismatch, could override or bypass the initial (and correct) failure indicated by the system's TLS implementation if a hostname mismatch occurred.
The patch rectifies these issues by:
- Removing the
ValidatorWithIgnoreNameMismatch function entirely.
- Modifying
WithoutNameMismatch to only clear the RemoteCertificateNameMismatch error, leaving other chain errors intact.
- Introducing a new
CallbackCreator class. This class centralizes and corrects the certificate validation callback logic, ensuring that hostname mismatches are only ignored if explicitly configured via KvIgnoreRemoteCertificateNameMismatch or HttpIgnoreRemoteCertificateMismatch flags, and that validation fails correctly otherwise.
The identified vulnerable functions, ValidatorWithIgnoreNameMismatch and the older version of WithoutNameMismatch, were direct contributors to the failure to properly verify hostnames, allowing for potential man-in-the-middle attacks if an attacker could present a certificate valid for a different hostname.
Miggo AI