CVE-2025-22874
published 2025-06-11CVE-2025-22874: Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.31%
22.8th percentile
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.24 1.24.4-1 (forky) | golang-1.24 1.24.4-1 (forky) |
| debian | golang-1.19 | < golang-1.24 1.24.4-1 (forky) | golang-1.24 1.24.4-1 (forky) |
| debian | golang-1.24 | < golang-1.24 1.24.4-1 (forky) | golang-1.24 1.24.4-1 (forky) |
| go_standard_library | crypto_x509 | >= 1.24.0-0 < 1.24.4 | 1.24.4 |
| msrc | azl3_gcc_13.2.0-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.6-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_gcc_11.2.0-8_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.24.1-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cm2_msft-golang_1.24.1-3_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH
vendor_debian7.5LOW
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
crypto/x509: Usage of ExtKeyUsageAny disables policy validation in crypto/x509
vendor_redhat·2025-06-11·CVSS 7.5
CVE-2025-22874 [HIGH] CWE-295 crypto/x509: Usage of ExtKeyUsageAny disables policy validation in crypto/x509
crypto/x509: Usage of ExtKeyUsageAny disables policy validation in crypto/x509
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
A flaw was found in Go's crypto/x509 package. This vulnerability allows improper certificate validation, bypassing policy constraints via using ExtKeyUsageAny in VerifyOptions.KeyUsages.
Statement: This flaw is rated as an Important severity because the vulnerability was found in the certificate validation logic of the Verify function. When VerifyOptions.KeyUsages includes ExtKeyUsageAny, certificate chains containing policy graphs may bypass certificate policy validation. This flaw allows an attacker
Microsoft
Usage of ExtKeyUsageAny disables policy validation in crypto/x509
vendor_msrc·2025-06-10·CVSS 7.5
CVE-2025-22874 [HIGH] Usage of ExtKeyUsageAny disables policy validation in crypto/x509
Usage of ExtKeyUsageAny disables policy validation in crypto/x509
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://l
Debian
CVE-2025-22874: golang-1.15 - Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unint...
vendor_debian·2025·CVSS 7.5
CVE-2025-22874 [HIGH] CVE-2025-22874: golang-1.15 - Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unint...
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
Scope: local
bullseye: resolved
GHSA
GHSA-6f52-wpx2-hvf2: Calling Verify with a VerifyOptions
ghsa_unreviewed·2025-06-11
CVE-2025-22874 [HIGH] GHSA-6f52-wpx2-hvf2: Calling Verify with a VerifyOptions
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
OSV
CVE-2025-22874: Calling Verify with a VerifyOptions
osv·2025-06-11·CVSS 7.5
CVE-2025-22874 [HIGH] CVE-2025-22874: Calling Verify with a VerifyOptions
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
OSV
Usage of ExtKeyUsageAny disables policy validation in crypto/x509
osv·2025-06-11
CVE-2025-22874 Usage of ExtKeyUsageAny disables policy validation in crypto/x509
Usage of ExtKeyUsageAny disables policy validation in crypto/x509
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
No detection rules found.
No public exploits indexed.
2025-06-11
Published