CVE-2025-22874: 
Docker vulnerability analysis and mitigation

CVE-2025-22874 is a security vulnerability discovered in Go's crypto/x509 package, disclosed on June 11, 2025. The vulnerability occurs when calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny, which unintentionally disabled policy validation. This issue specifically affects certificate chains containing policy graphs, though these are noted to be relatively uncommon (Go Blog, NVD).

The vulnerability exists in the crypto/x509 package's certificate verification process. When VerifyOptions.KeyUsages contains ExtKeyUsageAny, it inadvertently disables policy validation, creating an unintended security bypass. The issue affects Go versions from 1.24.0-0 up to, but not including, 1.24.4. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (Go Vuln DB, NVD).

The vulnerability affects certificate chain validation, specifically when policy graphs are involved. While the impact is significant as it could lead to improper certificate validation, the actual risk is somewhat mitigated by the fact that policy graphs in certificate chains are uncommon, and the vulnerability requires specific conditions to be exploited (Go Issue).

The vulnerability has been fixed in Go version 1.24.4 and Go 1.23.10. Users are advised to upgrade to these versions or later to address the security issue. The fix was implemented through a security patch release (Go Blog).

The vulnerability was responsibly disclosed and reported by Krzysztof Skrzętnicki (@Tener) of Teleport. Due to the specific nature of the vulnerability and its limited impact scope, it was treated as a PUBLIC track security issue according to the Go Security policy (Go Issue).