Skip to content

crypto/x509: ParsePKCS1PrivateKey panic with partial keys [CVE-2025-22865] #71216

New issue
Jump to bottom
New issue
Jump to bottom
Closed
Bug
Closed
crypto/x509: ParsePKCS1PrivateKey panic with partial keys [CVE-2025-22865]#71216
Bug
Labels
NeedsFixThe path to resolution is known, but the work has not been done.Security
Milestone
 
Go1.24
@rolandshoemaker

Description

@rolandshoemaker
rolandshoemaker
opened on Jan 10, 2025

Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic
when verifying that the key is well formed.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

This is CVE-2025-22865.

Tracked in http://b/388805795 and fixed by https://go-internal-review.googlesource.com/c/go/+/1820.

/cc @golang/security and @golang/release

Metadata

Assignees

No one assigned

    Labels

    NeedsFixThe path to resolution is known, but the work has not been done.Security

    Type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions