CVE-2025-4575: 
OpenSSL vulnerability analysis and mitigation

CVE-2025-4575 affects the OpenSSL x509 application, specifically the -addreject option functionality. The vulnerability was discovered on May 2nd, 2025, and publicly disclosed on May 22nd, 2025. The issue affects OpenSSL version 3.5, while versions 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1, and 1.0.2 are not affected (OpenSSL Advisory).

The vulnerability stems from a copy & paste error during minor refactoring of the code in OpenSSL 3.5. When using the -addreject option with the openssl x509 application, it incorrectly adds a trusted use instead of a rejected use for a certificate. For example, if a trusted CA certificate should be trusted only for TLS server authentication but not for CMS signature verification, using the -addreject option for CMS signature verification will incorrectly mark the certificate as trusted for that purpose instead of rejected. The vulnerability has been assigned a Low severity rating as it only affects the command line application (OpenSSL Advisory).

The impact of this vulnerability is limited to scenarios where users employ the trusted certificate format and use the openssl x509 command line application to add rejected uses. When exploited, certificates intended to be rejected for specific uses will instead be trusted for those uses, potentially leading to unintended certificate trust relationships (OpenSSL Advisory).

OpenSSL 3.5 users are advised to upgrade to OpenSSL 3.5.1 once it becomes available. In the meantime, a fix is available in commit e96d2244 in the OpenSSL git repository. Due to the low severity of the issue, no immediate emergency releases are being issued (OpenSSL Advisory, GitHub Commit).