PatchSiren cyber security CVE debrief

CVE-2016-2402 Squareup CVE debrief

CVE-2016-2402 is a medium-severity certificate-pinning flaw in OkHttp. According to NVD and the supplied description, a man-in-the-middle attacker could bypass pinning by sending a certificate chain that included a certificate from a trusted CA that was not pinned, along with the pinned certificate. The affected ranges in the corpus include OkHttp before 2.7.4 and OkHttp 3.x before 3.1.2, with NVD listing vulnerable okhttp3 releases 3.0.0, 3.0.0-rc1, 3.0.1, 3.1.0, and 3.1.1.

Vendor: Squareup
Product: CVE-2016-2402
CVSS: MEDIUM 5.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-30
Original CVE updated: 2026-05-13
Advisory published: 2017-01-30
Advisory updated: 2026-05-13

Who should care

Teams that ship or depend on OkHttp and rely on TLS certificate pinning for connection integrity, especially applications and services that assume pinning will block interception or transparent TLS inspection.

Technical summary

NVD classifies this as CWE-295 (Improper Certificate Validation) with CVSS v3.1 vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N. The issue is a pinning-bypass logic problem rather than a crypto break: if an attacker can present a certificate chain containing a trusted CA certificate that is not pinned and the pinned certificate, OkHttp may accept the chain. The corpus identifies vulnerable versions as okhttp <= 2.7.3 and okhttp3 3.0.0, 3.0.0-rc1, 3.0.1, 3.1.0, and 3.1.1.

Defensive priority

Medium. The impact is integrity-focused and requires an active network attacker, but the consequence is meaningful because it can defeat an application’s explicit TLS pinning control.

Recommended defensive actions

Upgrade OkHttp to a fixed release: 2.7.4 or later on the 2.x line, and 3.1.2 or later on the 3.x line.
Inventory applications and services that use OkHttp certificate pinning so you can prioritize exposed clients and update plans.
Verify that deployed builds are not using any of the vulnerable okhttp3 releases listed in NVD (3.0.0, 3.0.0-rc1, 3.0.1, 3.1.0, 3.1.1).
Review application error handling and monitoring for TLS connection failures or unexpected trust behavior after remediation.
Treat pinning as a defense-in-depth control: keep standard certificate validation healthy and do not rely on pinning alone for broader network security.

Evidence notes

The supplied corpus is internally consistent: the NVD record, CVE description, and vendor/third-party references all describe a certificate-pinning bypass in OkHttp. The official NVD metadata provides the affected version ranges, CVSS vector, and CWE-295 classification. Supporting references include a vendor advisory, technical analysis, and disclosure discussion threads from February 2016. The CVE/public record date supplied here is 2017-01-30; earlier 2016 references in the corpus are disclosure evidence, not the CVE publication date.

Official resources

CVE-2016-2402 CVE record
CVE.org
CVE-2016-2402 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Technical Description, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory

The CVE record supplied here was published on 2017-01-30. The corpus also includes supporting public references from February 2016, including mailing-list discussion and a vendor advisory, which provide earlier disclosure context.