RSA Key Verification Issue in Go Programming Language
CVE-2025-22865

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Crypto/x509
Vendor: CVE Published:; 28 January 2025

What is CVE-2025-22865?

This vulnerability arises when the ParsePKCS1PrivateKey function encounters an RSA key that lacks the necessary CRT (Chinese Remainder Theorem) values. In such cases, the process of verifying whether the key is correctly formatted can lead to a panic, potentially causing disruptions in applications utilizing RSA encryption. Developers are advised to ensure that RSA keys are correctly formed before parsing them to mitigate any adverse impacts.

Affected Version(s)

crypto/x509 1.24.0-0 < 1.24.0-rc.2

References

https://go.dev/cl/643098

https://go.dev/issue/71216

https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 28, 2025
Vulnerability Reserved
Jan 8, 2025

Credit

Philippe Antoine (Catena cyber)

Go Standard Library

What is CVE-2025-22865?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit