It must be mentioned again how speedy KrakenD folks are to responding and how helpful it is. It feels like we're working with a team that works here in Paylocity
Dannie Walker
Senior Software Engineer / Paylocity
CVE-2025-22874
High
· CVSS 7.5
Low ImpactExploiting this CVE requires an uncommon setup or configuration. Upgrading is still recommended when possible.
ExtKeyUsageAny in their certificate verification options, and only when the
peer certificate chain includes policy graph extensions — an uncommon combination.Component
Go standard library (crypto/x509)
Disclosed
Jun 19, 2025
CVSS Score
7.5
crypto/x509.Verify with a VerifyOptions.KeyUsages slice that contains
ExtKeyUsageAny unintentionally disables certificate policy graph validation.
Certificate chains that include policy extensions may be accepted when they should
be rejected based on their declared policies. The condition requires both an uncommon
certificate configuration (policy graphs) and the explicit use of ExtKeyUsageAny
in the TLS verification options. Fixed in Go 1.24.4.Community Edition
2.10.1
addresses this CVE
Affected CE versions
>= 2.0, < 2.10.1
Enterprise Edition
2.10.1
addresses this CVE
Affected EE versions
>= 2.0, < 2.10.1
Upgrade to the addressed version or later to remediate this vulnerability.
Stay up to date with KrakenD releases and important updates