Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🦀 crates.io

GHSA-857q-xmph-p2v5

MEDIUM

s2n-tls's mTLS API ordering may skip client authentication

Published
Aug 9, 2024
Updated
Feb 4, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

Blast Radius

1 pkg affected
🦀s2n-tls

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.

Description

Impact

An API ordering issue in s2n-tls can cause client authentication to unexpectedly not be enabled on the server when it otherwise appears to be. Server applications are impacted if client authentication is enabled by calling s2n_connection_set_config() before calling s2n_connection_set_client_auth_type().

Applications are not impacted if these APIs are called in the opposite order, or if client authentication is enabled on the config with s2n_config_set_client_auth_type(). s2n-tls clients verifying server certificates are not impacted.

Impacted versions: < v1.5.0.

Patches

The patch is included in v1.5.0 [1].

Workarounds

Applications can workaround this issue by calling s2n_connection_set_config() after calling s2n_connection_set_client_auth_type(), or by enabling client authentication on the config with s2n_config_set_client_auth_type().

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [2] or directly via email to [email protected]. Please do not create a public GitHub issue.

[1] https://github.com/aws/s2n-tls/releases/tag/v1.5.0

[2] https://aws.amazon.com/security/vulnerability-reporting

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🦀crates.ios2n-tlsall versions0.3.0

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for s2n-tls. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update s2n-tls to 0.3.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-857q-xmph-p2v5 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-857q-xmph-p2v5 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-857q-xmph-p2v5. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact An API ordering issue in s2n-tls can cause client authentication to unexpectedly not be enabled on the server when it otherwise appears to be. Server applications are impacted if client authentication is enabled by calling s2n_connection_set_config() before calling s2n_connection_set_client_auth_type(). Applications are not impacted if these APIs are called in the opposite order, or if client authentication is enabled on the config with s2n_config_set_client_auth_type(). s2n-tls clients verifying server certificates are not impacted. Impacted versions: < v1.5.0. ### Patches Th
O3 Security · Impact-Aware SCA

Is GHSA-857q-xmph-p2v5 in your dependencies?

O3 detects GHSA-857q-xmph-p2v5 across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works