CVE-2025-22874

Published Jun 11, 2025

Last updated a month ago

CVSS high 7.5
Golang

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-22874 affects Google Go's crypto-x509 component, specifically the VerifyOptions.KeyUsages function. This vulnerability involves improper certificate validation due to manipulation with an unknown input. The vulnerability lies in the product's failure to properly validate certificates, potentially impacting integrity. It can be exploited remotely without authentication, though exploitation is considered difficult. The vulnerability is addressed in versions 1.23.10 and 1.24.4 of Google Go.

Description
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
Source
security@golang.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity
HIGH

Social media

Hype score
Not currently trending

  1. CVE-2025-22874 Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which cont… https://t.co/sexQtE8WCO

    @CVEnew

    11 Jun 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚀 URGENT: #openSUSE Leap 15.6 patches critical #GoLang vulnerabilities (CVE-2025-22874, CVE-2025-0913, CVE-2025-4673). 🔐 Impacts: ✔ Certificate validation bypass ✔ HTTP header leaks ✔ Permission flaws Read more : 👇https://t.co/tD2CaU1AV8 https://t.co/GCarji7v1R

    @Cezar_H_Linux

    10 Jun 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. #Mageia9 patches 3 Golang CVEs: ✅ Proxy-Auth header leaks (CVE-2025-4673) ✅ Symlink handling flaws (CVE-2025-0913) ✅ x509 policy bypass (CVE-2025-22874) Read more: 👉 https://t.co/6AmFFJ5tkT #DevSecOps https://t.co/hzSlkXsB2B

    @Cezar_H_Linux

    10 Jun 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🎆 Go 1.24.4 and 1.23.10 are released! 🔐 Security: Includes security fixes for CVE-2025-4673, CVE-2025-0913, and CVE-2025-22874 in net/http, os, and crypto/x509. 📰 Announcement: https://t.co/C3AeYy8ZX8 📦 Download: https://t.co/5hObjouLtK #golang https://t.co/NyEeP3

    @golang

    5 Jun 2025

    18043 Impressions

    101 Retweets

    443 Likes

    26 Bookmarks

    4 Replies

    4 Quotes

References

Sources include official advisories and independent security research.