CVE-2025-4575

Issue summary: Use of -addreject option with the openssl x509 application adds a trusted use instead of a rejected use for a certificate. Impact summary: If a user intends to make a trusted certificate rejected for a particular use it will be instead marked as trusted for that use. A copy & paste error during minor refactoring of the code introduced this issue in the OpenSSL 3.5 version. If, for example, a trusted CA certificate should be trusted only for the purpose of authenticating TLS servers but not for CMS signature verification and the CMS signature verification is intended to be marked as rejected with the -addreject option, the resulting CA certificate will be trusted for CMS signature verification purpose instead. Only users which use the trusted certificate format who use the openssl x509 command line application to add rejected uses are affected by this issue. The issues affecting only the command line application are considered to be Low severity. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are also not affected by this issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/openssl/openssl/commit/e96d22446e633d117e6c9904cb15b4693e956eaa
https://openssl-library.org/news/secadv/20250522.txt
http://www.openwall.com/lists/oss-security/2025/05/22/1

Configurations

No configuration.

History

23 May 2025, 15:55

Type	Values Removed	Values Added
Summary		(es) Resumen del problema: El uso de la opción -addreject con la aplicación openssl x509 añade un uso confiable en lugar de uno rechazado para un certificado. Resumen del impacto: Si un usuario intenta rechazar un certificado confiable para un uso específico, se marcará como confiable para ese uso. Un error de copiar y pegar durante una pequeña refactorización del código introdujo este problema en la versión OpenSSL 3.5. Si, por ejemplo, un certificado de CA confiable solo debe ser confiable para autenticar servidores TLS, pero no para la verificación de firmas CMS, y esta verificación se marca como rechazada con la opción -addreject, el certificado de CA resultante se considerará confiable para la verificación de firmas CMS. Este problema solo afecta a los usuarios que usan el formato de certificado confiable y la aplicación de línea de comandos openssl x509 para añadir usos rechazados. Los problemas que afectan solo a la aplicación de línea de comandos se consideran de gravedad baja. Los módulos FIPS de las versiones 3.5, 3.4, 3.3, 3.2, 3.1 y 3.0 no se ven afectados. OpenSSL 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 y 1.0.2 tampoco se ven afectados por este problema.

22 May 2025, 16:15

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2025/05/22/1 -

22 May 2025, 15:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

22 May 2025, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-22 14:16

Updated : 2025-05-23 15:55

NVD link : CVE-2025-4575

Mitre link : CVE-2025-4575

CVE.ORG link : CVE-2025-4575

JSON object : View

Products Affected

No product.

CWE

CWE-295

Improper Certificate Validation

6.5 /10