Description
A certificate expiration is not validated or is incorrectly validated.
Potential Impact
Integrity, Other
Other
Authentication, Other
Other
Demonstrative Examples
if (cert = SSL_get_peer(certificate(ssl)) {
foo=SSL_get_verify_result(ssl);if ((X509_V_OK==foo) || (X509_V_ERR_CERT_HAS_EXPIRED==foo))
//do stuffMitigations & Prevention
Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2025-4384 | product does not verify that a certificate has expired |
| CVE-2007-3564 | web library product does not verify that a certificate has expired |
| CVE-2007-6746 | IRC product does not check the expiration date of the X.509 certificate |
| CVE-2007-6746 | library for SSL and TLS does not check the activation or expiration dates of CA certificates |
Related Weaknesses
Taxonomy Mappings
- CLASP: — Failure to validate certificate expiration
Frequently Asked Questions
What is CWE-298?
CWE-298 (Improper Validation of Certificate Expiration) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. A certificate expiration is not validated or is incorrectly validated.
How can CWE-298 be exploited?
Attackers can exploit CWE-298 (Improper Validation of Certificate Expiration) to other. This weakness is typically introduced during the Implementation, Implementation phase of software development.
How do I prevent CWE-298?
Key mitigations include: Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.
What is the severity of CWE-298?
CWE-298 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 4 real-world CVEs.