{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57500?format=json","vulnerability_id":"VCID-pnqe-rw2g-dyeq","summary":"Couchbase .NET SDK (client library) does not properly enable hostname verification for TLS certificates\nThe Couchbase .NET SDK (client library) before 3.7.1 does not properly enable hostname verification for TLS certificates. In fact, the SDK was also using IP addresses instead of hostnames due to a configuration option that was incorrectly enabled by default.","aliases":[{"alias":"CVE-2025-49015"},{"alias":"GHSA-px2c-r924-mwcc"}],"fixed_packages":[],"affected_packages":[],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49015","reference_id":"","reference_type":"","scores":[{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.37075","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.37023","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.37011","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.3705","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.37083","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49015"},{"reference_url":"https://docs.couchbase.com/server/current/release-notes/relnotes.html","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-18T14:45:18Z/"}],"url":"https://docs.couchbase.com/server/current/release-notes/relnotes.html"},{"reference_url":"https://forums.couchbase.com/tags/security","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-18T14:45:18Z/"}],"url":"https://forums.couchbase.com/tags/security"},{"reference_url":"https://github.com/couchbase/couchbase-net-client","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/couchbase/couchbase-net-client"},{"reference_url":"https://github.com/couchbase/couchbase-net-client/commit/04d1679b2178f922036be6e595b3d91f972c5ba3","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/couchbase/couchbase-net-client/commit/04d1679b2178f922036be6e595b3d91f972c5ba3"},{"reference_url":"https://www.couchbase.com/alerts","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.couchbase.com/alerts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49015","reference_id":"CVE-2025-49015","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49015"},{"reference_url":"https://github.com/advisories/GHSA-px2c-r924-mwcc","reference_id":"GHSA-px2c-r924-mwcc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-px2c-r924-mwcc"}],"weaknesses":[{"cwe_id":297,"name":"Improper Validation of Certificate with Host Mismatch","description":"The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pnqe-rw2g-dyeq"}