What is the CVSS score of CVE-2025-22874?

CVE-2025-22874 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Golang are affected by CVE-2025-22874?

CVE-2025-22874 affects certificate validation in applications using specific key usage policies, potentially allowing attackers to bypass security policy checks on certificate chains.. A patch is available.

How to fix or mitigate CVE-2025-22874?

Within 24 hours: Identify applications using affected certificate validation libraries and determine if they process certificates with policy graphs. Within 7 days: Document all systems handling policy-based certificate chains and assess business criticality; contact your software vendors for patch timelines. Within 30 days: Implement compensating controls (see below) and establish monitoring for certificate validation anomalies; schedule patching immediately upon vendor availability.

Golang CVE-2025-22874

EUVD-2025-18136 HIGH

2025-06-11 security@golang.org

Authentication Bypass Golang Red Hat Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 21:09 euvd

EUVD-2025-18136

Analysis Generated

Mar 14, 2026 - 21:09 vuln.today

CVE Published

Jun 11, 2025 - 17:15 nvd

HIGH 7.5

DescriptionNVD

Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

AnalysisAI

Certificate policy validation bypass in cryptographic verification routines where specifying ExtKeyUsageAny in VerifyOptions.KeyUsages inadvertently disables policy validation checks. This affects applications performing X.509 certificate chain verification, particularly those validating certificates containing policy constraint graphs (an uncommon but security-critical scenario). An attacker can present a malicious certificate chain that would normally be rejected due to policy violations, potentially enabling unauthorized certificate acceptance and compromising trust validation in PKI-dependent systems.

Technical ContextAI

This vulnerability exists in certificate verification logic (likely Go's crypto/x509 package or similar cryptographic libraries) where the ExtKeyUsageAny constant, when included in VerifyOptions.KeyUsages parameters, creates an unintended code path that bypasses policy validation mechanisms. X.509 certificate policies (defined in RFC 5280) are constraints used in PKI hierarchies to ensure certificates conform to specific validation rules. The bug appears to be a logic error where the presence of ExtKeyUsageAny flag causes the verification routine to skip policy graph evaluation entirely, rather than properly handling the 'any' EKU designation alongside policy validation. The issue is particularly dangerous because policy constraints are a sophisticated but essential security control in enterprise and government PKI deployments, and their bypass is non-obvious to callers who may not expect ExtKeyUsageAny to affect policy validation at all.

RemediationAI

IMMEDIATE: Update affected cryptographic libraries to patched versions (vendor must provide specific version numbers in advisory—typically next minor or patch release). 2) CODE-LEVEL FIX: Cease using ExtKeyUsageAny in VerifyOptions.KeyUsages parameters when policy validation is required; instead, explicitly enumerate required EKU values or omit the KeyUsages check if policies must be validated. 3) VALIDATION LOGIC: For applications validating certificates with policy constraints, audit code to ensure policy validation is not inadvertently disabled by EKU parameters. 4) TESTING: Add regression tests that verify policy constraints are enforced even when EKU parameters are specified. 5) TEMPORARY MITIGATION: If patching is delayed, implement external policy validation checks separate from the VerifyOptions path. Consult vendor (Go, OpenSSL, etc.) security advisories for exact patch versions and availability timelines.

More from same product – last 7 days

CVE-2026-9277 HIGH This Week

8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

Ubuntu

Priority: Medium

golang

Release	Status	Version
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

golang-1.6

Release	Status	Version
xenial	needs-triage	-
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

golang-1.8

Release	Status	Version
bionic	needs-triage	-
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

golang-1.9

Release	Status	Version
bionic	needs-triage	-
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

golang-1.10

Release	Status	Version
trusty	needs-triage	-
xenial	needs-triage	-
bionic	needs-triage	-
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

golang-1.13

Release	Status	Version
xenial	needs-triage	-
bionic	needs-triage	-
focal	needs-triage	-
jammy	needs-triage	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

golang-1.14

Release	Status	Version
focal	needs-triage	-
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

golang-1.16

Release	Status	Version
bionic	needs-triage	-
focal	needs-triage	-
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

golang-1.17

Release	Status	Version
jammy	needs-triage	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

golang-1.18

Release	Status	Version
xenial	needs-triage	-
bionic	needs-triage	-
jammy	needs-triage	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
focal	needs-triage	-
questing	DNE	-

golang-1.20

Release	Status	Version
jammy	needs-triage	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
focal	needs-triage	-
questing	DNE	-

golang-1.21

Release	Status	Version
jammy	needs-triage	-
noble	needs-triage	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
focal	needs-triage	-
questing	DNE	-

golang-1.22

Release	Status	Version
plucky	DNE	-
upstream	needs-triage	-
jammy	not-affected	code not present
noble	not-affected	code not present
oracular	not-affected	code not present
focal	needs-triage	-
questing	DNE	-

golang-1.23

Release	Status	Version
jammy	needs-triage	-
noble	needs-triage	-
upstream	needs-triage	-
oracular	ignored	end of life, was needs-triage
questing	needs-triage	-
plucky	ignored	end of life, was needs-triage

golang-1.24

Release	Status	Version
oracular	DNE	-
upstream	needs-triage	-
jammy	needs-triage	-
noble	needs-triage	-
questing	needs-triage	-
plucky	ignored	end of life, was needs-triage

Debian

Bug #1107364

golang-1.15

Release	Status	Fixed Version	Urgency
bullseye	fixed	1.15.15-1~deb11u4	-
(unstable)	not-affected	-	-

golang-1.19

Release	Status	Fixed Version	Urgency
bookworm	fixed	1.19.8-2	-
(unstable)	not-affected	-	-

golang-1.24

Release	Status	Fixed Version	Urgency
trixie	fixed	1.24.4-1	-
forky, sid	fixed	1.24.13-2	-
(unstable)	fixed	1.24.4-1	-

golang-1.23

Release	Status	Fixed Version	Urgency
(unstable)	not-affected	-	-

CVE-2025-22874 vulnerability details – vuln.today

Back

Golang CVE-2025-22874

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Ubuntu

Debian

Share

External POC / Exploit Code