CVE-2025-4575: 
OpenSSL vulnerability analysis and mitigation

CVE-2025-4575 affects the OpenSSL x509 application's -addreject option functionality. The vulnerability was discovered on May 2nd, 2025, and publicly disclosed on May 22nd, 2025. The issue specifically impacts OpenSSL version 3.5, while versions 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1, and 1.0.2 are not affected (OpenSSL Advisory).

The vulnerability stems from a copy & paste error during minor refactoring of the code in OpenSSL 3.5. When using the -addreject option with the openssl x509 application, it incorrectly adds a trusted use instead of a rejected use for a certificate. The vulnerability has been assigned a CVSS 3.1 base score of 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L (Wiz).

The impact is limited to scenarios where users employ the trusted certificate format and use the openssl x509 command line application to add rejected uses. For example, if a trusted CA certificate should be trusted only for TLS server authentication but not for CMS signature verification, using the -addreject option for CMS signature verification will incorrectly mark the certificate as trusted for that purpose instead of rejected (OpenSSL Advisory).

OpenSSL 3.5 users are advised to upgrade to OpenSSL 3.5.1 once it becomes available. Due to the low severity of the issue, no immediate emergency releases are being issued. In the meantime, a fix is available in commit e96d2244 in the OpenSSL git repository (OpenSSL Advisory, GitHub Commit).