CVE-2025-22874

Public on 2025-06-11

Modified on 2025-06-16

Description

Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

Severity

Medium

See what this means

CVSS v3 Base Score

4.8

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 2 - Core	amazon-cloudwatch-agent	2025-06-24	ALAS2-2025-2904	Fixed
Amazon Linux 2023	amazon-cloudwatch-agent	2025-06-23	ALAS2023-2025-1029	Fixed
Amazon Linux 2 - Ecs Extra	amazon-ecr-credential-helper			Not Affected
Amazon Linux 2023	amazon-ecr-credential-helper			Pending Fix
Amazon Linux 2 - Core	amazon-ssm-agent			Not Affected
Amazon Linux 2023	amazon-ssm-agent			Pending Fix
Amazon Linux 2 - Core	cni-plugins			Not Affected
Amazon Linux 2023	cni-plugins			Pending Fix
Amazon Linux 2 - Docker Extra	containerd			Not Affected
Amazon Linux 2 - Ecs Extra	containerd			Not Affected
Amazon Linux 2023	containerd			Pending Fix
Amazon Linux 2 - Core	cri-tools			Not Affected
Amazon Linux 2 - Docker Extra	docker			Not Affected
Amazon Linux 2 - Ecs Extra	docker			Not Affected
Amazon Linux 2023	docker			Pending Fix
Amazon Linux 2 - Ecs Extra	ecs-init			Pending Fix
Amazon Linux 2023	ecs-init			Pending Fix
Amazon Linux 1	golang			No Fix Planned
Amazon Linux 2 - Core	golang			Not Affected
Amazon Linux 2023	golang	2025-06-23	ALAS2023-2025-1028	Fixed
Amazon Linux 2 - Core	golist			Not Affected
Amazon Linux 2023	libcap			Pending Fix
Amazon Linux 2 - Core	nerdctl			Not Affected
Amazon Linux 2023	nerdctl			Pending Fix
Amazon Linux 2 - Docker Extra	oci-add-hooks			Not Affected
Amazon Linux 2023	oci-add-hooks			Pending Fix
Amazon Linux 2 - Docker Extra	runc			Not Affected
Amazon Linux 2 - Ecs Extra	runc			Not Affected
Amazon Linux 2023	runc			Pending Fix
Amazon Linux 2 - Docker Extra	runfinch-finch			Not Affected
Amazon Linux 2023	runfinch-finch			Pending Fix
Amazon Linux 2 - Docker Extra	soci-snapshotter			Not Affected
Amazon Linux 2023	soci-snapshotter			Pending Fix

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	4.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
NVD	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2025-22874 Mitre: CVE-2025-22874