A remote plaintext recovery security issue has been found in Mbed TLS before 2.12.0, 2.7.5 or 2.1.14, when using a CBC based ciphersuite. To be able to mount an attack, the attacker has to be able to observe and manipulate network packets and, for TLS, to be able to generate multiple sessions where the same plaintext is sent. For DTLS a single session is sufficient. The attacker can then partially recover the plaintext of messages exploiting timing side-channels. The attack is feasible for all versions of TLS and DTLS, from 1.0 to 1.2.