| id: GO-2025-4013 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.24.8 |
| - introduced: 1.25.0 |
| - fixed: 1.25.2 |
| vulnerable_at: 1.25.1 |
| packages: |
| - package: crypto/x509 |
| symbols: |
| - alreadyInChain |
| derived_symbols: |
| - Certificate.Verify |
| summary: Panic when validating certificates with DSA public keys in crypto/x509 |
| description: |- |
| Validating certificate chains which contain DSA public keys can cause programs |
| to panic, due to a interface cast that assumes they implement the Equal method. |
| |
| This affects programs which validate arbitrary certificate chains. |
| cves: |
| - CVE-2025-58188 |
| credits: |
| - Jakub Ciolek |
| references: |
| - fix: https://go.dev/cl/709853 |
| - report: https://go.dev/issue/75675 |
| - web: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI |
| cve_metadata: |
| id: CVE-2025-58188 |
| cwe: 'CWE-248: Uncaught Exception' |
| source: |
| id: go-security-team |
| created: 2025-10-28T18:36:09.818369-07:00 |
| review_status: REVIEWED |
