Cyber Resilience

CVE-2025-22865

High

Published: 28 January 2025

Published
28 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0007 22.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22865 is a high-severity an unspecified weakness vulnerability in Go (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-22865 affects the Go programming language's standard library, specifically the ParsePKCS1PrivateKey function used for parsing RSA private keys in PKCS#1 format. The vulnerability causes a panic when the function processes an RSA key missing its Chinese Remainder Theorem (CRT) values during the well-formedness verification step. It was published on 2025-01-28 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A remote attacker requires no privileges or user interaction and can exploit this with low attack complexity over the network. Exploitation triggers a panic in applications using the affected function, enabling high confidentiality impact as per the CVSS score.

Mitigation details are outlined in Go's official resources, including the fix commit at https://go.dev/cl/643098, the issue tracker at https://go.dev/issue/71216, a golang-dev mailing list discussion at https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ, and the vulnerability entry at https://pkg.go.dev/vuln/GO-2025-3421. Affected Go installations should be updated to incorporate the patch.

EU & UK References

Vulnerability details

Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability in ParsePKCS1PrivateKey allows remote unauthenticated attackers to trigger a panic via malformed RSA key input, directly enabling application crashes and unavailability consistent with Endpoint Denial of Service through Application or System Exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

Affected Assets

Go
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of the flaw in Go's ParsePKCS1PrivateKey function to prevent panics on malformed RSA keys missing CRT values.

prevent

Mandates secure error handling during PKCS#1 RSA private key parsing to avoid panics and maintain system stability against malformed inputs.

prevent

Requires validation of input RSA private keys to detect and reject those missing CRT values before parsing, reducing the risk of triggering the panic.

References