GO-2025-4175

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2025-4175

Import Source

https://vuln.go.dev/ID/GO-2025-4175.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2025-4175

Aliases

CVE-2025-61727

Published

2025-12-02T20:55:55Z

Modified

2025-12-03T19:43:52.709377Z

Summary

Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509

Details

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2025-4175",
    "review_status": "REVIEWED"
}

References

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.24.11

Introduced

1.25.0

Fixed

1.25.5

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "Certificate.Verify"
            ],
            "path": "crypto/x509"
        }
    ]
}