LIVE NEWSROOM · --:-- · May 24, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-295

CWE-295

Improper Certificate Validation

Base

What it is

The product does not validate, or incorrectly validates, a certificate.

Impact

Integrity, AuthenticationBypass Protection Mechanism, Gain Privileges or Assume Identity

Mitigations

  • [Architecture and Design, Implementation] Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
  • [Implementation] If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

Real-world CVE examples

  • CVE-2019-12496 — A Go framework for robotics, drones, and IoT devices skips verification of root CA certificates by default.
  • CVE-2014-1266 — Chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (I
  • CVE-2021-22909 — Chain: router's firmware update procedure uses curl with "-k" (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle
  • CVE-2008-4989 — Verification function trusts certificate chains in which the last certificate is self-signed.
  • CVE-2012-5821 — Web browser uses a TLS-related function incorrectly, preventing it from verifying that a server's certificate is signed by a trusted certification authority (CA
  • CVE-2009-3046 — Web browser does not check if any intermediate certificates are revoked.
  • CVE-2011-0199 — Operating system does not check Certificate Revocation List (CRL) in some cases, allowing spoofing using a revoked certificate.
  • CVE-2012-5810 — Mobile banking application does not verify hostname, leading to financial loss.
  • CVE-2012-3446 — Cloud-support library written in Python uses incorrect regular expression when matching hostname.
  • CVE-2009-2408 — Web browser does not correctly handle '\0' character (NUL) in Common Name, allowing spoofing of https sites.
  • CVE-2012-2993 — Smartphone device does not verify hostname, allowing spoofing of mail services.
  • CVE-2012-5822 — Application uses third-party library that does not validate hostname.

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top