平台
go
组件
github.com/smallstep/certificates
修复版本
0.28.5
0.28.4
0.29.0
CVE-2025-44005 describes a critical authorization bypass vulnerability within the ACME and SCEP provisioners of the Step CA certificates library (github.com/smallstep/certificates). This flaw allows an attacker to potentially issue certificates without proper authorization, leading to severe trust and security compromises. The vulnerability impacts versions prior to 0.29.0. A fix has been released in version 0.29.0.
The authorization bypass vulnerability in Step CA certificates allows an attacker to circumvent the intended access controls for certificate issuance. An attacker could leverage this to issue certificates for arbitrary domains, potentially impersonating legitimate services or websites. This could lead to man-in-the-middle attacks, phishing campaigns, and other malicious activities. The impact is particularly severe because Step CA is often used in automated certificate management systems, making it a prime target for automated exploitation. Successful exploitation could compromise the entire certificate chain of trust for organizations relying on Step CA.
CVE-2025-44005 has been published and is considered critical. Public proof-of-concept exploits are likely to emerge given the severity and ease of exploitation. The vulnerability is not currently listed on the CISA KEV catalog, but its critical severity warrants close monitoring. Active exploitation campaigns are possible, especially targeting environments with unpatched Step CA installations.
Organizations heavily reliant on automated certificate management systems using Step CA are at significant risk. This includes DevOps teams, cloud providers, and any environment where certificates are automatically provisioned. Legacy systems or configurations that haven't been updated to the latest versions are particularly vulnerable.
• go / supply-chain: Inspect dependencies for vulnerable versions of github.com/smallstep/certificates. Use go mod graph to identify dependencies and their versions.
go mod graph | grep certificates• generic web: Monitor ACME and SCEP endpoints for unusual certificate issuance requests. Examine logs for requests originating from unexpected IP addresses or user agents. • generic web: Check for unusual certificate issuance patterns or certificates issued to unexpected domains. Review audit logs for any unauthorized certificate requests.
disclosure
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-44005 is to immediately upgrade to version 0.29.0 or later of the Step CA certificates library. If upgrading is not immediately feasible, consider implementing stricter access controls around the ACME and SCEP endpoints to limit the potential impact of unauthorized requests. Monitor logs for suspicious certificate issuance activity. While a WAF cannot directly prevent this vulnerability, it can help detect and block malicious requests attempting to exploit it. After upgrading, confirm the fix by attempting to issue a certificate using an unauthorized account and verifying that the request is denied.
升级 Step-CA 到最新可用版本。这修复了在创建 ACME 或 SCEP 证书期间允许跳过授权检查的漏洞。请参阅安全公告 GHSA-h8cp-697h-8c8p 以获取更多详细信息。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-44005 is a critical authorization bypass vulnerability in the ACME and SCEP provisioners of the Step CA certificates library, allowing unauthorized certificate issuance.
You are affected if you are using Step CA certificates versions prior to 0.29.0. Upgrade immediately to mitigate the risk.
Upgrade to version 0.29.0 or later of the Step CA certificates library. Implement stricter access controls as a temporary workaround if immediate upgrade is not possible.
While not confirmed, the vulnerability's severity and ease of exploitation make active exploitation highly probable. Monitor your systems closely.
Refer to the official Smallstep security advisory for detailed information and updates: [https://smallstep.com/security/advisories/CVE-2025-44005](https://smallstep.com/security/advisories/CVE-2025-44005)
上传你的 go.mod 文件,立即知道是否受影响。