OpenSSL 3.5.0 < 3.5.1 Vulnerability

🗓️ 22 May 2025 00:00:00Reported by TenableType

OpenSSL versions prior to 3.5.1 vulnerable to trust misconfiguration with certificate uses.

Reporter	Title	Published	Views	Family All 39
FreeBSD	OpenSSL -- Inverted security logic in x509 app	23 May 202500:00	–	freebsd
AlpineLinux	CVE-2025-4575	22 May 202513:36	–	alpinelinux
Broadcom	Brocade Fabric OS (10.x and 9.2.x Releases) Vulnerability Disclosures	27 Sep 202400:00	–	broadcom
Broadcom	The x509 application adds trusted use instead of rejected use	27 Jan 202600:00	–	broadcom
Chainguard	CVE-2025-4575 vulnerabilities	28 May 202519:15	–	cgr
Circl	CVE-2025-4575	22 May 202513:43	–	circl
CNNVD	OpenSSL 安全漏洞	22 May 202500:00	–	cnnvd
CVE	CVE-2025-4575	22 May 202513:36	–	cve
Cvelist	CVE-2025-4575 The x509 application adds trusted use instead of rejected use	22 May 202513:36	–	cvelist
Debian CVE	CVE-2025-4575	22 May 202513:36	–	debiancve

Source	Link
nessus	www.nessus.org/u
openssl-library	www.openssl-library.org/news/secadv/20250522.txt
nessus	www.nessus.org/u
cve	www.cve.org/CVERecord
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(237112);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/21");

  script_cve_id("CVE-2025-4575");
  script_xref(name:"IAVA", value:"2025-A-0378-S");

  script_name(english:"OpenSSL 3.5.0 < 3.5.1 Vulnerability");

  script_set_attribute(attribute:"synopsis", value:
"The remote service is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of OpenSSL installed on the remote host is prior to 3.5.1. It is, therefore, affected by a vulnerability as
referenced in the 3.5.1 advisory.

  - Issue summary: Use of -addreject option with the openssl x509 application adds a trusted use instead of a
    rejected use for a certificate. Impact summary: If a user intends to make a trusted certificate rejected
    for a particular use it will be instead marked as trusted for that use. A copy & paste error during minor
    refactoring of the code introduced this issue in the OpenSSL 3.5 version. If, for example, a trusted CA
    certificate should be trusted only for the purpose of authenticating TLS servers but not for CMS signature
    verification and the CMS signature verification is intended to be marked as rejected with the -addreject
    option, the resulting CA certificate will be trusted for CMS signature verification purpose instead. Only
    users which use the trusted certificate format who use the openssl x509 command line application to add
    rejected uses are affected by this issue. The issues affecting only the command line application are
    considered to be Low severity. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by
    this issue. OpenSSL 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are also not affected by this issue.
    (CVE-2025-4575)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://github.com/openssl/openssl/commit/e96d22446e633d117e6c9904cb15b4693e956eaa
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?71c5cf95");
  script_set_attribute(attribute:"see_also", value:"https://openssl-library.org/news/secadv/20250522.txt");
  # https://openssl-library.org/policies/general/security-policy/index.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eac4598c");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-4575");
  script_set_attribute(attribute:"solution", value:
"Upgrade to OpenSSL version 3.5.1 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-4575");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/05/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/05/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/05/22");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("openssl_version.nasl", "openssl_nix_installed.nbin", "openssl_win_installed.nbin");
  script_require_keys("installed_sw/OpenSSL");

  exit(0);
}

include('vcf.inc');
include('vcf_extras_openssl.inc');

var app_info = vcf::combined_get_app_info(app:'OpenSSL');

vcf::check_all_backporting(app_info:app_info);

var constraints = [
  { 'min_version' : '3.5.0', 'fixed_version' : '3.5.1' }
];

vcf::openssl::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_WARNING
);

21 Jan 2026 00:00Current

7.3High risk

Vulners AI Score7.3

CVSS 3.16.5

EPSS0.00077

SSVC