The OpenSSL Project has released new versions of its SSL/TLS toolkit to address three security vulnerabilities, two of which are rated as moderate severity.

The updates (versions 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm and 1.1.1zd) patch flaws tracked as CVE-2025-9230, CVE-2025-9231 and CVE-2025-9232.

The most significant is CVE-2025-9231, which could potentially enable private key recovery. Such a breach could allow decryption of secure communications or man-in-the-middle attacks.

However, OpenSSL developers clarified this vulnerability only affects SM2 algorithm implementations on 64-bit ARM platforms and isn't relevant to standard TLS configurations.

They noted that while custom implementations could be vulnerable, the limited scope justifies the moderate severity rating.

CVE-2025-9230, an out-of-bounds read/write vulnerability that could lead to arbitrary code execution or denial-of-service attacks, also received a moderate rating.

The project's advisory explained that while successful exploitation would have serious consequences, the likelihood of such an attack is low.