CVE-2025-6224
BaseFortify
Publication date: 2025-07-01
Last updated on: 2025-09-10
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canonical | juju\/utils | From 4.0.0 (inc) to 4.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6224 is a vulnerability in the Go package github.com/juju/utils/cert where the cert.NewLeaf function mistakenly includes the private key inside the generated certificate. This happens because the private key is embedded due to incorrect use of the sha512.New384().Sum() function. When such a certificate is transmitted over the network in plaintext, an attacker who can sniff the network traffic can easily extract the private key from the certificate. This affects both server and client certificates, allowing attackers to impersonate servers or clients by obtaining their private keys during TLS handshakes. [1]
How can this vulnerability impact me? :
This vulnerability can lead to private key disclosure if an attacker can observe the certificate transmitted over the network. With the private key, an attacker can impersonate the server or client, compromising secure communications and potentially gaining unauthorized access to systems or data. This can undermine trust in TLS connections and expose sensitive information or services to attackers. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by capturing and analyzing TLS handshake certificates transmitted over the network to check if the certificates include embedded private keys. Network sniffing tools like Wireshark or tcpdump can be used to capture TLS handshake traffic. For example, use 'tcpdump -i <interface> port 443 -w capture.pcap' to capture TLS traffic. Then analyze the certificates in the capture for suspicious inclusion of private key material. Additionally, inspecting the version of the github.com/juju/utils/cert package in your environment to see if it is below v4.0.4 can help identify vulnerable instances. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the github.com/juju/utils/cert package to version v4.0.4 or later, where the vulnerability has been patched. Avoid transmitting certificates generated by vulnerable versions over the network in plaintext. Implement network-level protections such as TLS encryption and monitoring to prevent unauthorized sniffing. Additionally, regenerate any certificates created with vulnerable versions to prevent private key compromise. [1]