Skip to content

crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (CVE-2025-61727) #76442

New issue
New issue
Closed
Closed
crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (CVE-2025-61727)#76442
Assignees
rolandshoemaker
Labels
FixPendingIssues that have a fix which has not yet been reviewed or submitted.NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker
Milestone
Go1.26
@rolandshoemaker

Description

@rolandshoemaker
rolandshoemaker
opened on Nov 24, 2025

A certificate with the excluded constraint foo.example.com should preclude a leaf with the SAN *.example.com. This unfortunately is not well defined in the X.509 specifications, so slipped through.

This is a PUBLIC track security issue.

Metadata

Metadata

Assignees

Labels

FixPendingIssues that have a fix which has not yet been reviewed or submitted.NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions