Primary

Context

Go ParsePKCS1PrivateKey Partial Key Panic Vulnerability

Vulnerability

A vulnerability exists in the Go programming language's crypto/x509 package, specifically in the ParsePKCS1PrivateKey function. This issue arises when parsing RSA private keys that lack the Chinese Remainder Theorem (CRT) values, leading to a panic during the key validation process. The vulnerability is present in Go version 1.24 release candidates prior to 1.24.0-rc.2.

Impact

The vulnerability causes a panic, which can disrupt the normal execution of a program.

Reproduction

To reproduce this vulnerability, use Go 1.24 release candidate 1 or 2. Parse an RSA private key in PKCS#1 format that is missing the CRT values with the ParsePKCS1PrivateKey function. The absence of the CRT values will trigger a panic when the function attempts to verify the key's integrity.

Remediation

Users can upgrade to Go 1.24.0-rc.2 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.4

remediation

0.0

relevance

0.0

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.4

remediation

0.0

relevance

0.0

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go ParsePKCS1PrivateKey Partial Key Panic Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating