CVE-2025-65083

GoSign Desktop through 2.4.1 disables TLS certificate validation when configured to use a proxy server. This can be problematic if the GoSign Desktop user selects an arbitrary proxy server without consideration of whether outbound HTTPS connections from the proxy server to Internet servers succeed even for untrusted or invalid server certificates. In this scenario (which is outside of the product's design objectives), integrity protection could be bypassed. In typical cases of a proxy server for outbound HTTPS traffic from an enterprise, those connections would not succeed. (Admittedly, the usual expectation is that a client application is configured to trust an enterprise CA and does not set SSL_VERIFY_NONE.) Also, it is of course unsafe to place ~/.gosign in the home directory of an untrusted user and then have other users execute downloaded files.

CVSS v3 3.2 LOW

3.2^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.4 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://securityaffairs.com/184672/hacking/multiple-vulnerabilities-in-gosign-desktop-lead-to-remote-code-execution.html
https://www.firma.infocert.it/prodotti/gosign

Configurations

No configuration.

History

17 Nov 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-17 16:15

Updated : 2025-11-18 14:06

NVD link : CVE-2025-65083

Mitre link : CVE-2025-65083

CVE.ORG link : CVE-2025-65083

JSON object : View

Products Affected

No product.

CWE

CWE-295

Improper Certificate Validation

3.2 /10