CVE-2025-22865 Overview
CVE-2025-22865 is a vulnerability in the Go programming language's crypto/x509 package where using the ParsePKCS1PrivateKey function to parse an RSA private key that is missing Chinese Remainder Theorem (CRT) values causes a panic during key validation. This can lead to a denial of service condition in applications that process untrusted RSA key material.
Critical Impact
Applications using Go's ParsePKCS1PrivateKey function to process untrusted PKCS#1 RSA private keys are vulnerable to denial of service attacks when a malformed key without CRT values is submitted.
Affected Products
- Go standard library crypto/x509 package
- Applications using ParsePKCS1PrivateKey to parse untrusted RSA keys
- Go versions prior to the security patch
Discovery Timeline
- 2025-01-28 - CVE CVE-2025-22865 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-22865
Vulnerability Analysis
This vulnerability occurs in Go's ParsePKCS1PrivateKey function within the crypto/x509 package. The function is responsible for parsing PKCS#1-formatted RSA private keys and validating their structure. When processing an RSA private key that lacks the optional Chinese Remainder Theorem (CRT) optimization values (Dp, Dq, and Qinv), the validation logic encounters a nil pointer or invalid state, causing the application to panic rather than returning a graceful error.
The CRT values are technically optional in the PKCS#1 standard, as they are precomputed values used to speed up RSA private key operations. However, Go's key validation code does not properly handle the case where these values are absent, leading to an unrecoverable panic condition.
Root Cause
The root cause is improper input validation in the key verification logic of ParsePKCS1PrivateKey. When the function attempts to verify that the parsed RSA key is "well formed," it assumes the presence of CRT values without first checking if they exist. This results in operations being performed on nil or zero-length data, triggering a Go runtime panic.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious PKCS#1 RSA private key that omits the CRT values (Dp, Dq, Qinv) and submitting it to an application that parses untrusted key material. The attack is network-accessible and requires no authentication or user interaction.
Attack scenarios include:
- Submitting malformed keys to certificate management APIs
- Uploading crafted key files to services that process user-provided cryptographic material
- Injecting malicious keys through configuration management systems
The vulnerability causes a panic (unrecoverable crash) in the affected Go application, resulting in denial of service. Each crash requires the application or service to be restarted, and repeated exploitation can sustain the denial of service condition indefinitely.
Detection Methods for CVE-2025-22865
Indicators of Compromise
- Unexpected application crashes or panics in Go services processing RSA keys
- Stack traces referencing crypto/x509.ParsePKCS1PrivateKey or related validation functions
- Repeated service restarts correlated with key processing operations
Detection Strategies
- Monitor application logs for Go panic stack traces involving the crypto/x509 package
- Implement alerting on sudden increases in service crashes or restarts
- Deploy input validation to detect malformed PKCS#1 keys before passing to ParsePKCS1PrivateKey
- Use static analysis tools to identify code paths that process untrusted key material
Monitoring Recommendations
- Set up real-time monitoring for Go runtime panics in production applications
- Configure health check endpoints to quickly detect service unavailability
- Implement circuit breakers around cryptographic key processing functions
- Track metrics on key parsing operations to identify anomalous patterns
How to Mitigate CVE-2025-22865
Immediate Actions Required
- Update Go to the latest patched version that addresses this vulnerability
- Review application code to identify all uses of ParsePKCS1PrivateKey with untrusted input
- Implement input validation to reject PKCS#1 keys that lack required CRT values before parsing
- Consider wrapping key parsing operations with panic recovery mechanisms as a temporary measure
Patch Information
The vulnerability has been addressed by the Go security team. Detailed information about the fix is available in the Go.dev Change Log Entry. The fix ensures proper validation of RSA key components before performing operations that assume their presence.
Additional resources:
Workarounds
- Validate PKCS#1 RSA key structure before calling ParsePKCS1PrivateKey to ensure CRT values are present
- Implement panic recovery using Go's recover() function around key parsing code to prevent application crashes
- Restrict key parsing endpoints to trusted sources only until patches can be applied
- Consider using alternative key parsing methods that handle malformed keys more gracefully
# Check Go version and upgrade to patched version
go version
# Update Go to the latest patched version
# Follow your platform-specific update instructions
# Example for systems using go modules:
go get -u all
go mod tidy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
