CVE-2025-6224: 
vulnerability analysis and mitigation

CVE-2025-6224 is a security vulnerability discovered in the juju/utils library affecting version 4 and above, disclosed on July 1, 2025. The vulnerability involves certificate generation in the cert.NewLeaf function that could expose private information. The affected component is the certificate generation mechanism in the juju/utils library (GitHub Advisory).

The vulnerability stems from the cert.NewLeaf function setting the SubjectKeyId to sha512.New384().Sum of the private key. The CVSS v3.1 score is 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-312 (Cleartext Storage of Sensitive Information) (NVD).

If a certificate generated by the vulnerable function is transmitted over a network in plaintext, which commonly occurs during TLS handshakes, an attacker monitoring the network can intercept the certificate and extract the private key. This enables potential impersonation of both servers and clients. For server certificates, an attacker only needs to perform a TLS handshake with matching SNI to obtain the certificate and key, allowing server impersonation. Similarly, for client certificates, the attacker needs to get the client to perform a TLS handshake with an attacker-controlled server (GitHub Advisory).

The vulnerability has been patched in version v4.0.4 of the juju/utils library. Users should upgrade to this version or later to address the security issue (GitHub Advisory).