CVE-2025-4575

Name of the Vulnerable Software and Affected Versions OpenSSL version 3.5

Description The issue arises from the use of the -addreject option with the openssl x509 application, which adds a trusted use instead of a rejected use for a certificate. This means if a user intends to make a trusted certificate rejected for a particular use, it will be instead marked as trusted for that use. The problem was introduced by a copy & paste error during minor refactoring of the code in the OpenSSL 3.5 version. Only users who use the trusted certificate format and the openssl x509 command line application to add rejected uses are affected.

Recommendations For OpenSSL version 3.5, consider avoiding the use of the -addreject option with the openssl x509 application until a fix is available. As a temporary workaround, manually verify the certificate uses after adding them to ensure they match the intended configuration.