CVE-2025-65083

Name of the Vulnerable Software and Affected Versions GoSign Desktop versions through 2.4.1

Description GoSign Desktop versions through 2.4.1 disable TLS certificate validation when configured to use a proxy server. This occurs if a user selects a proxy server without verifying that outbound HTTPS connections from the proxy server to internet servers succeed even for untrusted or invalid server certificates. In such a scenario, integrity protection could be bypassed. The issue arises outside the product’s intended use, where a client application is expected to trust an enterprise certificate authority and not set SSL VERIFY NONE. Placing the ~/.gosign directory in the home directory of an untrusted user and allowing other users to execute downloaded files is also considered unsafe.

Recommendations Versions prior to 2.4.1 are not affected. Versions through 2.4.1 should avoid using arbitrary proxy servers without verifying the validity of server certificates. Avoid placing the ~/.gosign directory in the home directory of an untrusted user. Avoid allowing other users to execute downloaded files.