CVE-2025-49015: Couchbase .NET SDK (client library) does not properly enable hostname verification for TLS certificates
The Couchbase .NET SDK (client library) before 3.7.1 does not properly enable hostname verification for TLS certificates. In fact, the SDK was also using IP addresses instead of hostnames due to a configuration option that was incorrectly enabled by default.
References
- docs.couchbase.com/server/current/release-notes/relnotes.html
- forums.couchbase.com/tags/security
- github.com/advisories/GHSA-px2c-r924-mwcc
- github.com/couchbase/couchbase-net-client
- github.com/couchbase/couchbase-net-client/commit/04d1679b2178f922036be6e595b3d91f972c5ba3
- nvd.nist.gov/vuln/detail/CVE-2025-49015
- www.couchbase.com/alerts
Code Behaviors & Features
Detect and mitigate CVE-2025-49015 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →