CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
CVE-2025-22865: ParsePKCS1PrivateKey panic with partial keys in crypto/x509
Description
Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.
Classification
CVE ID: CVE-2025-22865
Affected Products
Vendor: Go standard library
Product: crypto/x509
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.05% (probability of being exploited)
EPSS Percentile: 18.25% (scored less or equal to compared to others)
EPSS Date: 2025-02-27 (when was this score calculated)
References
https://go.dev/cl/643098https://go.dev/issue/71216
https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
https://pkg.go.dev/vuln/GO-2025-3421