Platform
go
Component
github.com/smallstep/certificates
Fixed in
0.28.5
0.28.4
0.29.0
CVE-2025-44005 describes a critical authorization bypass vulnerability within the ACME and SCEP provisioners of the Step CA certificates library (github.com/smallstep/certificates). This flaw allows an attacker to potentially issue certificates without proper authorization, leading to severe trust and security compromises. The vulnerability impacts versions prior to 0.29.0. A fix has been released in version 0.29.0.
The authorization bypass vulnerability in Step CA certificates allows an attacker to circumvent the intended access controls for certificate issuance. An attacker could leverage this to issue certificates for arbitrary domains, potentially impersonating legitimate services or websites. This could lead to man-in-the-middle attacks, phishing campaigns, and other malicious activities. The impact is particularly severe because Step CA is often used in automated certificate management systems, making it a prime target for automated exploitation. Successful exploitation could compromise the entire certificate chain of trust for organizations relying on Step CA.
CVE-2025-44005 has been published and is considered critical. Public proof-of-concept exploits are likely to emerge given the severity and ease of exploitation. The vulnerability is not currently listed on the CISA KEV catalog, but its critical severity warrants close monitoring. Active exploitation campaigns are possible, especially targeting environments with unpatched Step CA installations.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-44005 is to immediately upgrade to version 0.29.0 or later of the Step CA certificates library. If upgrading is not immediately feasible, consider implementing stricter access controls around the ACME and SCEP endpoints to limit the potential impact of unauthorized requests. Monitor logs for suspicious certificate issuance activity. While a WAF cannot directly prevent this vulnerability, it can help detect and block malicious requests attempting to exploit it. After upgrading, confirm the fix by attempting to issue a certificate using an unauthorized account and verifying that the request is denied.
Update Step-CA to the latest available version. This corrects the vulnerability that allows authorization checks to be bypassed during ACME or SCEP certificate creation. See the security advisory GHSA-h8cp-697h-8c8p for more details.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-44005 is a critical authorization bypass vulnerability in the ACME and SCEP provisioners of the Step CA certificates library, allowing unauthorized certificate issuance.
You are affected if you are using Step CA certificates versions prior to 0.29.0. Upgrade immediately to mitigate the risk.
Upgrade to version 0.29.0 or later of the Step CA certificates library. Implement stricter access controls as a temporary workaround if immediate upgrade is not possible.
While not confirmed, the vulnerability's severity and ease of exploitation make active exploitation highly probable. Monitor your systems closely.
Refer to the official Smallstep security advisory for detailed information and updates: [https://smallstep.com/security/advisories/CVE-2025-44005](https://smallstep.com/security/advisories/CVE-2025-44005)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.