Due to how policy validation was implemented, passing VerifyOptions.KeyUsages containing ExtKeyUsageAny unintentionally disables policy validation. These two properties are unrelated, and disabling key usage validation shouldn't disable policy validation.
This is a security issue, but due to the rarity of policy validation, and because it requires the user to explicitly set ExtKeyUsageAny, which is also rare, we are treating this as a PUBLIC track security issue, per the Go Security policy.
Thanks to Krzysztof Skrzętnicki (@Tener) of Teleport for reporting this issue.
This is CVE-2025-22874.
Comment From: gopherbot
Change https://go.dev/cl/670375 mentions this issue: crypto/x509: decouple key usage and policy validation
Comment From: gabyhelp
Related Code Changes
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)
Comment From: rolandshoemaker
@gopherbot please backport issue for Go 1.24.
Comment From: gopherbot
Backport issue(s) opened: #73700 (for 1.24).
Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.
Comment From: gopherbot
Change https://go.dev/cl/672316 mentions this issue: [release-branch.go1.24] crypto/x509: decouple key usage and policy validation
Comment From: ryanzhang-oss
I wonder if this fix will be back port to 1.23 version too?
Comment From: rolandshoemaker
Policy validation was added in 1.24, this issue does not affect 1.23.
Comment From: sivasaipega
@rolandshoemaker , this is effecting the version 1.23.8
which is being used in open source https://github.com/mongodb/mongo-tools..
could you please have a fix ported to 1.23.8 also
Comment From: rolandshoemaker
@sivasaipega how are you determining this affects 1.23.8? The affected functionality was not in 1.23 as it was introduced in 1.24, so it's unclear how this would affect those versions.