VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-qypz-u9nr-buf1

Essentials
Severities (16)
References (13)
Severity details (11)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-qypz-u9nr-buf1
Aliases	CVE-2025-22874
Summary	Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
Status	Published
Exploitability	0.5
Weighted Severity	6.8
Risk	3.4
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-295

Improper Certificate Validation

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22874.json
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2025-22874
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2025-22874
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2025-22874
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2025-22874
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2025-22874
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	7.5	https://go.dev/cl/670375
ssvc	Track	https://go.dev/cl/670375
cvssv3.1	7.5	https://go.dev/issue/73612
ssvc	Track	https://go.dev/issue/73612
cvssv3.1	7.5	https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A
ssvc	Track	https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A
cvssv3.1	7.5	https://pkg.go.dev/vuln/GO-2025-3749
ssvc	Track	https://pkg.go.dev/vuln/GO-2025-3749
archlinux	Medium	https://security.archlinux.org/AVG-2896

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22874.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-22874
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22874
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1107364		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107364
2372320		https://bugzilla.redhat.com/show_bug.cgi?id=2372320
670375		https://go.dev/cl/670375
73612		https://go.dev/issue/73612
ASA-202506-4		https://security.archlinux.org/ASA-202506-4
AVG-2896		https://security.archlinux.org/AVG-2896
CVE-2025-22874		https://nvd.nist.gov/vuln/detail/CVE-2025-22874
GO-2025-3749		https://pkg.go.dev/vuln/GO-2025-3749
ufZ8WpEsA3A		https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22874.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://go.dev/cl/670375

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-11T17:45:40Z/ Found at https://go.dev/cl/670375

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://go.dev/issue/73612

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-11T17:45:40Z/ Found at https://go.dev/issue/73612

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-11T17:45:40Z/ Found at https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://pkg.go.dev/vuln/GO-2025-3749

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-11T17:45:40Z/ Found at https://pkg.go.dev/vuln/GO-2025-3749

Exploit Prediction Scoring System (EPSS)

Percentile	0.02455
EPSS Score	0.00017
Published At	June 12, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-06-05T22:43:42.265011+00:00	Debian Importer	Import	https://security-tracker.debian.org/tracker/data/json	36.1.0