CVE-2025-22874¶
WSO2 Products Impacted: No
Customers Actions Required: No
REPORTED VULNERABILITY¶
A flaw was found in Go's crypto/x509 package. This vulnerability allows improper certificate validation, bypassing policy constraints via abusing ExtKeyUsageAny in VerifyOptions.KeyUsages 1.
REPORTED PRODUCTS¶
- WSO2 Choreo Connect : 1.2.0
WSO2 JUSTIFICATION¶
According to CVE considerations, the root cause lies in the Verify 2 method within the crypto/x509 package, which is part of the standard Go library. When calling the Verify function with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny, policy validation is unintentionally disabled 3.
The vulnerability affects the aforementioned package in Go versions prior to 1.24.4. The v0.4.38 version of grpc-health-probe binary packaged in Choreo Connect, which is the latest available release of the tool at this time, is built with Go 1.24.2. Although the Go version has been updated to 1.24.4 in the master branch of the grpc-health-probe repository 4, a new release containing the fixed crypto/x509 has not yet been published. As a result, it is currently not possible to incorporate a patched version of grpc-health-probe into the product.
Furthermore, it should be noted that this vulnerability is only triggered in certificate chains that include policy graphs 5, which are not present in the grpc-health-probe codebase. The only methods utilized by grpc-health-probe are the NewCertPool6 method and AppendCertsFromPEM7. Hence, in grpc-health-probe version 0.4.38, which is bundled with the above-listed product, the reported vulnerability is not present.
CONCLUSION¶
- The
grpc-health-probeused in the WSO2 product does not contain the above mentioned vulnerability. - There is no current version of
grpc-health-probethat has the vulnerability mitigated. - When such a version is released, the mentioned dependency will be upgraded.