CVE-2025-22874
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-11

Last updated on: 2025-06-12

Assigner: Go Project

Description
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-11
Last Modified
2025-06-12
Generated
2026-05-07
AI Q&A
2025-06-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-22874
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-22874 is a security issue in the Go programming language's crypto/x509 package. When the Verify method is called with VerifyOptions.KeyUsages containing ExtKeyUsageAny, it unintentionally disables certificate policy validation. This happens because the implementation incorrectly links key usage validation with policy validation, causing the enforcement of certificate policies to be bypassed. This flaw only affects certificate chains that contain policy graphs, which are uncommon. [1, 2, 3]


How can this vulnerability impact me? :

This vulnerability can allow certificates that do not meet required policy validations to be accepted during verification if ExtKeyUsageAny is used in VerifyOptions.KeyUsages. Since policy validation is disabled unintentionally, it may lead to acceptance of certificates that should otherwise be rejected based on their policies. However, the impact is considered low risk because explicit policy validation and the use of ExtKeyUsageAny are uncommon. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability relates to the Go programming language's crypto/x509 package when the Verify method is called with VerifyOptions.KeyUsages containing ExtKeyUsageAny, which disables policy validation. Detection involves identifying usage of vulnerable Go versions (before 1.23.10 and from 1.24.0 up to but not including 1.24.4) and checking if your code or systems use the Verify method with ExtKeyUsageAny in VerifyOptions.KeyUsages. There are no specific network detection commands provided. To detect vulnerable Go versions, you can run 'go version' on your systems. To find usage in code, you might search your codebase for 'VerifyOptions.KeyUsages' or 'ExtKeyUsageAny'. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update your Go environment to a fixed version: at least Go 1.23.10 or Go 1.24.4 or later, where the issue has been addressed. Additionally, review your code to avoid using ExtKeyUsageAny in VerifyOptions.KeyUsages when calling the Verify method, especially if your certificate chains contain policy graphs. Applying these updates and code changes will restore proper certificate policy validation. [1, 2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart