What happens?

According to this file: https://github.com/duckdb/duckdb/blob/main/third_party/mbedtls/include/mbedtls/build_info.h , DuckDB is using Mbed TLS 3.6.2.

According to https://nvd.nist.gov/vuln/detail/CVE-2025-47917, any version prior to 3.6.4 is vulnerable.

Please kindly upgrade this 3rd party dependency. Thank you very much.

To Reproduce

N/A - don't need code to reproduce

OS:

macOS

DuckDB Version:

1.3.2

DuckDB Client:

Node

Hardware:

No response

Full Name:

Meng Wang

Affiliation:

Salesforce

What is the latest build you tested with? If possible, we recommend testing with the latest nightly build.

I have tested with a stable release

Did you include all relevant data sets for reproducing the issue?

Yes

Did you include all code required to reproduce the issue?

• Yes, I have

Did you include all relevant configuration (e.g., CPU architecture, Python version, Linux distribution) to reproduce the issue?

• Yes, I have