{"id":"JLSEC-2025-233","summary":"Padding oracle through timing of cipher error reporting","details":"## Vulnerability\n\nIn symmetric encryption modes that involve padding, if an attacker can submit ciphertexts for decryption and learn whether the padding is valid, this provides partial information about the plaintext. If the attacker can also submit input that the victim encrypts together with a secret, this can allow the attacker to recover the whole secret part. This is known as a padding oracle attack. The attacker may learn the validity of the padding directly or indirectly, for example through timing.\n\nIn the Mbed TLS legacy API (`mbedtls_cipher_crypt()`, `mbedtls_cipher_finish()`), the problematic modes are ECB and CBC with any padding other than `NONE`. In the PSA Crypto API (`psa_cipher_decrypt()`, `psa_cipher_finish()`), the problematic algorithm is `PSA_ALG_CBC_PKCS7`.\n\nMbed TLS takes care to check the padding in constant time inside the legacy cipher modules, so `mbedtls_cipher_crypt()` and `mbedtls_cipher_finish()` are not vulnerable. However, application code may be vulnerable if it handles errors from these functions in a way that is not constant-time.\n\nIn the PSA API, when the built-in implementation of CBC-PKCS7 is used, the PSA functions  (`psa_cipher_decrypt()`, `psa_cipher_finish()`) call `mbedtls_cipher_finish()` and translate its error codes into PSA error codes. This translation is not constant-time, and a local unprivileged attacker may be able to observe which error is raised by timing shared resources such as a code cache or a branch predictor.\n\nIn the PSA API, when using a driver, there is no error translation. However some code paths inside the library distinguish the error case from the success case, which allows the same attack.\n\n## Impact\n\nLocal attackers may be able to recover plaintexts encrypted with CBC-PKCS7 or other symmetric encryption mode using padding when it is decrypted through the PSA API.\n\nApplications using the legacy API to decrypt with padding may be affected through their own error handling.\n\n## Affected versions\n\nAll versions of Mbed TLS up to 3.6.4 are affected.\n\nTF-PSA-Crypto 1.0.0beta is also affected.\n\n## Work-around\n\nApplications are not affected if they only accept authenticated ciphertexts for CBC decryption, i.e. if they only use CBC as part of an encrypt-then-MAC construction. (Applications should use AEAD modes instead of CBC-based modes whenever possible.)\n\n## Resolution\n\nAffected users should upgrade to Mbed TLS 3.6.5 or TF-PSA-Crypto 1.0.0 or above.\n\nAdditionally, applications using `mbedtls_cipher_crypt()` or `mbedtls_cipher_finish()` with a CBC or EBC mode with padding should review their error handling, and should consider switching to the new function `mbedtls_cipher_finish_padded()` which simplifies the handling of invalid-padding conditions.\n\nApplications doing decryption with `PSA_ALG_CBC_PKCS7` should handle errors carefully if local timing attacks are a concern. (This also applies to asymmetric decryption with `PSA_ALG_RSA_PKCS1V15_CRYPT`.)","modified":"2025-11-21T16:18:08.048602Z","published":"2025-11-21T15:59:04.054Z","upstream":["CVE-2025-59438"],"database_specific":{"sources":[{"html_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59438","imported":"2025-11-20T23:04:03.557Z","url":"https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-59438","published":"2025-10-21T15:15:39.103Z","modified":"2025-10-23T12:35:35.187Z","id":"CVE-2025-59438"}],"license":"CC-BY-4.0"},"references":[{"type":"WEB","url":"https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-invalid-padding-error/"},{"type":"WEB","url":"https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/"}],"affected":[{"package":{"name":"MbedTLS_jll","ecosystem":"Julia","purl":"pkg:julia/MbedTLS_jll?uuid=c8ffd9c3-330d-5841-b78e-0817d7145fa1"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-233.json"}}],"schema_version":"1.7.3"}