Primary

Context

Go ExtKeyUsageAny Policy Validation Bypass Vulnerability

Vulnerability

A vulnerability in the Go programming language's standard library, specifically in the crypto/x509 package, has been identified. This issue arises when the Verify function is called with VerifyOptions.KeyUsages that include ExtKeyUsageAny, which unintentionally disables policy validation. The vulnerability affects certificate chains containing policy graphs, a rare occurrence.

Impact

Exploitation of this vulnerability leads to the unintentional bypass of policy validation in certificate verification, which could allow for the acceptance of certificates that should be rejected based on policy rules.

Remediation

Users can upgrade to Go versions 1.24.4 or 1.23.10, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.

Added: Jun 11, 2025, 5:23 PM

Updated: Jun 11, 2025, 6:26 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.1

remediation

0.0

relevance

0.2

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.1

remediation

0.0

relevance

0.2

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go ExtKeyUsageAny Policy Validation Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating