CVE-2025-65083
BaseFortify
Publication date: 2025-11-17
Last updated on: 2025-11-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gosign | gosign_desktop | 2.4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in GoSign Desktop versions up to 2.4.1, where TLS certificate validation is disabled when the software is configured to use a proxy server. This means that if a user selects an arbitrary proxy server, the software may accept HTTPS connections even if the server certificates are untrusted or invalid. This can allow an attacker to bypass integrity protection, potentially compromising secure communications.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker controlling or intercepting the proxy server to bypass TLS certificate validation, potentially leading to integrity issues in your HTTPS connections. This could result in undetected man-in-the-middle attacks or tampering with data transmitted through the proxy. Additionally, if the ~/.gosign directory is placed in an untrusted user's home directory, other users executing downloaded files could be exposed to further risks.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid configuring GoSign Desktop to use an arbitrary or untrusted proxy server. Ensure that the proxy server properly validates TLS certificates for outbound HTTPS connections. Additionally, do not place the ~/.gosign directory in the home directory of untrusted users to prevent execution of potentially unsafe downloaded files by other users.