CVE-2025-4575
📋 TL;DR
A copy-paste error in OpenSSL 3.5 causes the '-addreject' option in the openssl x509 command to incorrectly mark certificates as trusted for specific uses instead of rejecting them. This affects users who use the trusted certificate format and specifically apply the '-addreject' option to restrict certificate usage. The vulnerability has low severity as it only impacts command-line operations.
💻 Affected Systems
- OpenSSL
📦 What is this software?
Openssl by Openssl
OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.
Learn more about Openssl →⚠️ Risk & Real-World Impact
Worst Case
A certificate intended to be rejected for specific purposes (like CMS signature verification) could be incorrectly trusted, potentially allowing unauthorized operations if that certificate is used inappropriately.
Likely Case
Misconfiguration where certificates have unintended trust relationships, requiring manual correction of certificate trust settings.
If Mitigated
Minimal impact since this only affects command-line certificate manipulation and doesn't enable remote exploitation or privilege escalation.
🎯 Exploit Status
Exploitation requires local access and specific command-line usage patterns. This is a configuration error rather than a remotely exploitable vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenSSL 3.5 with fix applied (commit e96d22446e633d117e6c9904cb15b4693e956eaa)
Vendor Advisory: https://openssl-library.org/news/secadv/20250522.txt
Restart Required: No
Instructions:
1. Update OpenSSL to version 3.5 with the fix applied. 2. Rebuild any applications linked against OpenSSL if using static linking. 3. Verify the fix by checking the OpenSSL version and testing the '-addreject' functionality.
🔧 Temporary Workarounds
Avoid using -addreject in OpenSSL 3.5
allDo not use the '-addreject' option with openssl x509 command in OpenSSL 3.5 until patched
# Do not run: openssl x509 -addreject ...
# Use alternative methods to manage certificate trust
Use older OpenSSL version
linuxTemporarily use OpenSSL 3.4 or earlier versions which are not affected
# Example for Linux: apt-get install openssl=3.4.*
# Or compile from source: git checkout OpenSSL_3_4-stable
🧯 If You Can't Patch
- Manually verify all certificates modified with '-addreject' in OpenSSL 3.5 to ensure correct trust settings
- Use alternative certificate management tools or scripts that don't rely on the affected openssl x509 functionality
🔍 How to Verify
Check if Vulnerable:
Check OpenSSL version: openssl version. If it shows 'OpenSSL 3.5' and you've used '-addreject' with trusted certificates, you may be affected.Check Version:
openssl versionVerify Fix Applied:
1. Check version: openssl version. 2. Test the '-addreject' functionality with a test certificate to ensure it correctly rejects rather than trusts.📡 Detection & Monitoring
Log Indicators:
- Log entries showing openssl x509 commands with '-addreject' option being executed
Network Indicators:
- None - this is a local command-line issue
SIEM Query:
process.name:"openssl" AND command_line:"x509" AND command_line:"-addreject"