Usage of ExtKeyUsageAny disables policy validation in crypto/x509

GO-2025-3749 · BIT-golang-2025-22874 · CVE-2025-22874

Published Jun 11, 2025 · Modified Feb 17, 2026

Description

Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

References

FIX https://go.dev/cl/670375
REPORT https://go.dev/issue/73612
WEB https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes