Vulnerability Description
J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange. This issue affects Apache NimBLE: through <= 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Nimble | < 1.9.0 |
Related Weaknesses (CWE)
References
- https://github.com/apache/mynewt-nimble/commit/164f1c23c18a290908df76ed83fe848bfPatch
- https://github.com/apache/mynewt-nimble/commit/ec3d75e909fa6dcadf1836fefc4432794Patch
- https://lists.apache.org/thread/ow8dzpsqfh9llfclh5fzh6z237brzc0sMailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2026/01/08/1Mailing ListThird Party Advisory
FAQ
What is CVE-2025-52435?
CVE-2025-52435 is a vulnerability with a CVSS score of 7.5 (HIGH). J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection ...
How severe is CVE-2025-52435?
CVE-2025-52435 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-52435?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Nimble.