CVE-2025-22865

High

Published: 28 January 2025

Published

28 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0007 22.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.

Security Summary

CVE-2025-22865 affects the Go programming language's standard library, specifically the ParsePKCS1PrivateKey function used for parsing RSA private keys in PKCS#1 format. The vulnerability causes a panic when the function processes an RSA key missing its Chinese Remainder Theorem (CRT) values during the well-formedness verification step. It was published on 2025-01-28 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A remote attacker requires no privileges or user interaction and can exploit this with low attack complexity over the network. Exploitation triggers a panic in applications using the affected function, enabling high confidentiality impact as per the CVSS score.

Mitigation details are outlined in Go's official resources, including the fix commit at https://go.dev/cl/643098, the issue tracker at https://go.dev/issue/71216, a golang-dev mailing list discussion at https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ, and the vulnerability entry at https://pkg.go.dev/vuln/GO-2025-3421. Affected Go installations should be updated to incorporate the patch.

Details

CWE(s): None listed

References

https://go.dev/cl/643098
security@golang.org
https://go.dev/issue/71216
security@golang.org
https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
security@golang.org
https://pkg.go.dev/vuln/GO-2025-3421
security@golang.org