CVE-2025-22865

Jan. 28, 2025, 4:15 p.m.

7.5
High

Description

Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.

Product(s) Impacted

Product Versions
Golang

Weaknesses

References

https://go.dev/cl/643098
https://go.dev/issue/71216
https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
https://pkg.go.dev/vuln/GO-2025-3421

Tags

security@golang.org
2025-01-28
CVE-2025-22865

CVSS Score

7.5 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Date

  • Published: Jan. 28, 2025, 2:15 a.m.
  • Last Modified: Jan. 28, 2025, 4:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@golang.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.