Home

Description

Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

PUBLISHED Reserved 2025-01-08 | Published 2025-06-11 | Updated 2025-06-16 | Assigner Go

Problem types

CWE-295: Improper Certificate Validation

Product status

Default status
unaffected

1.24.0-0 (semver) before 1.24.4
affected

Credits

Krzysztof Skrzętnicki (@Tener) of Teleport

References

go.dev/cl/670375

go.dev/issue/73612

groups.google.com/g/golang-announce/c/ufZ8WpEsA3A

pkg.go.dev/vuln/GO-2025-3749

cve.org (CVE-2025-22874)

nvd.nist.gov (CVE-2025-22874)

Download JSON