Skip to main content

Golang CVE-2025-22874

| EUVDEUVD-2025-18136 HIGH
2025-06-11 security@golang.org
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 21:09 euvd
EUVD-2025-18136
Analysis Generated
Mar 14, 2026 - 21:09 vuln.today
CVE Published
Jun 11, 2025 - 17:15 nvd
HIGH 7.5

DescriptionCVE.org

Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

AnalysisAI

Certificate policy validation bypass in cryptographic verification routines where specifying ExtKeyUsageAny in VerifyOptions.KeyUsages inadvertently disables policy validation checks. This affects applications performing X.509 certificate chain verification, particularly those validating certificates containing policy constraint graphs (an uncommon but security-critical scenario). An attacker can present a malicious certificate chain that would normally be rejected due to policy violations, potentially enabling unauthorized certificate acceptance and compromising trust validation in PKI-dependent systems.

Technical ContextAI

This vulnerability exists in certificate verification logic (likely Go's crypto/x509 package or similar cryptographic libraries) where the ExtKeyUsageAny constant, when included in VerifyOptions.KeyUsages parameters, creates an unintended code path that bypasses policy validation mechanisms. X.509 certificate policies (defined in RFC 5280) are constraints used in PKI hierarchies to ensure certificates conform to specific validation rules. The bug appears to be a logic error where the presence of ExtKeyUsageAny flag causes the verification routine to skip policy graph evaluation entirely, rather than properly handling the 'any' EKU designation alongside policy validation. The issue is particularly dangerous because policy constraints are a sophisticated but essential security control in enterprise and government PKI deployments, and their bypass is non-obvious to callers who may not expect ExtKeyUsageAny to affect policy validation at all.

RemediationAI

  1. IMMEDIATE: Update affected cryptographic libraries to patched versions (vendor must provide specific version numbers in advisory—typically next minor or patch release). 2) CODE-LEVEL FIX: Cease using ExtKeyUsageAny in VerifyOptions.KeyUsages parameters when policy validation is required; instead, explicitly enumerate required EKU values or omit the KeyUsages check if policies must be validated. 3) VALIDATION LOGIC: For applications validating certificates with policy constraints, audit code to ensure policy validation is not inadvertently disabled by EKU parameters. 4) TESTING: Add regression tests that verify policy constraints are enforced even when EKU parameters are specified. 5) TEMPORARY MITIGATION: If patching is delayed, implement external policy validation checks separate from the VerifyOptions path. Consult vendor (Go, OpenSSL, etc.) security advisories for exact patch versions and availability timelines.

More in Golang

View all
CVE-2026-24897 CRITICAL POC
10.0 Jan 28

Erugo file-sharing platform up to version 0.2.14 has a CVSS 10.0 path traversal allowing authenticated users to read any

CVE-2022-50926 CRITICAL POC
9.8 Jan 13

WAGO PFC200 G2 PLC (firmware affected) allows privilege escalation through cookie manipulation. Users can modify cookie

CVE-2026-28408 CRITICAL POC
9.8 Feb 27

Authentication bypass in WeGIA charitable institution management system before 3.6.5. The adicionar_tipo_docs_atendido.p

CVE-2026-24895 CRITICAL POC
9.8 Feb 12

CGI path splitting vulnerability in FrankenPHP before 1.11.2 — Unicode characters bypass path validation during CGI proc

CVE-2025-66719 CRITICAL POC
9.1 Jan 23

Free5gc NRF 1.4.0 has an authorization bypass in access token generation that allows authenticated users to request toke

CVE-2022-50909 HIGH POC
8.8 Jan 13

Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows

CVE-2026-3769 HIGH POC
8.8 Mar 08

Stack-based buffer overflow in Tenda F453 firmware 1.0.0.3 allows remote attackers with valid credentials to achieve una

CVE-2026-3768 HIGH POC
8.8 Mar 08

Stack-based buffer overflow in Tenda F453 firmware version 1.0.0.3 allows authenticated remote attackers to achieve comp

CVE-2025-66292 HIGH POC
8.1 Jan 15

DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vu

CVE-2019-25344 HIGH POC
7.8 Feb 12

Mobilego versions up to 8.5.0 is affected by incorrect permission assignment for critical resource (CVSS 7.8).

CVE-2019-25308 HIGH POC
7.8 Feb 11

Mikogo 5.2.2.150317 contains an unquoted service path vulnerability in the Mikogo-Service Windows service configuration.

CVE-2026-26514 HIGH POC
7.5 Mar 04

Remote attackers can inject arbitrary command-line arguments into bird-lg-go's traceroute module through unsanitized use

Vendor StatusVendor

Ubuntu

Priority: Medium
golang
Release Status Version
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.6
Release Status Version
xenial needs-triage -
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.8
Release Status Version
bionic needs-triage -
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.9
Release Status Version
bionic needs-triage -
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.10
Release Status Version
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.13
Release Status Version
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.14
Release Status Version
focal needs-triage -
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.16
Release Status Version
bionic needs-triage -
focal needs-triage -
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.17
Release Status Version
jammy needs-triage -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.18
Release Status Version
xenial needs-triage -
bionic needs-triage -
jammy needs-triage -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
focal needs-triage -
questing DNE -
golang-1.20
Release Status Version
jammy needs-triage -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
focal needs-triage -
questing DNE -
golang-1.21
Release Status Version
jammy needs-triage -
noble needs-triage -
oracular DNE -
plucky DNE -
upstream needs-triage -
focal needs-triage -
questing DNE -
golang-1.22
Release Status Version
plucky DNE -
upstream needs-triage -
jammy not-affected code not present
noble not-affected code not present
oracular not-affected code not present
focal needs-triage -
questing DNE -
golang-1.23
Release Status Version
jammy needs-triage -
noble needs-triage -
upstream needs-triage -
oracular ignored end of life, was needs-triage
questing needs-triage -
plucky ignored end of life, was needs-triage
golang-1.24
Release Status Version
oracular DNE -
upstream needs-triage -
jammy needs-triage -
noble needs-triage -
questing needs-triage -
plucky ignored end of life, was needs-triage

Debian

Bug #1107364
golang-1.15
Release Status Fixed Version Urgency
bullseye fixed 1.15.15-1~deb11u4 -
(unstable) not-affected - -
golang-1.19
Release Status Fixed Version Urgency
bookworm fixed 1.19.8-2 -
(unstable) not-affected - -
golang-1.24
Release Status Fixed Version Urgency
trixie fixed 1.24.4-1 -
forky, sid fixed 1.24.13-2 -
(unstable) fixed 1.24.4-1 -
golang-1.23
Release Status Fixed Version Urgency
(unstable) not-affected - -

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-4.31 Affected
Container suse/sl-micro/6.0/base-os-container:2.1.3-4.26 Container suse/sl-micro/6.0/kvm-os-container:2.1.3-4.27 Container suse/sl-micro/6.0/rt-os-container:2.1.3-5.25 Image SL-Micro Affected
Container suse/sl-micro/6.0/toolbox:13.2-9.1 Affected
SUSE Enterprise Storage 7.1 Fixed
SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Module for Development Tools 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed

Share

CVE-2025-22874 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy