CVE-2025-58187
published 2025-10-29CVE-2025-58187: Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.38%
30.3th percentile
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.24 1.24.8-1 (forky) | golang-1.24 1.24.8-1 (forky) |
| debian | golang-1.19 | < golang-1.24 1.24.8-1 (forky) | golang-1.24 1.24.8-1 (forky) |
| debian | golang-1.24 | < golang-1.24 1.24.8-1 (forky) | golang-1.24 1.24.8-1 (forky) |
| debian | golang-1.25 | < golang-1.24 1.24.8-1 (forky) | golang-1.24 1.24.8-1 (forky) |
| github.com | open-feature_flagd_core | >= 0 < 0.13.1 | 0.13.1 |
| github.com | open-feature_flagd_flagd | >= 0 < 0.13.1 | 0.13.1 |
| github.com | open-feature_flagd_flagd-proxy | >= 0 < 0.8.2 | 0.8.2 |
| github.com | opentofu_opentofu | >= 0 < 1.10.7 | 1.10.7 |
| go_standard_library | crypto_x509 | < 1.24.9 | 1.24.9 |
| go_standard_library | crypto_x509 | >= 1.25.0 < 1.25.3 | 1.25.3 |
| golang | go | < 1.24.9 | 1.24.9 |
| golang | go | >= 1.25.0 < 1.25.3 | 1.25.3 |
| msrc | azl3_gcc_13.2.0-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.12-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.25.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.25.5-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.25.6-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_gcc_11.2.0-8_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.18.8-10_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.22.7-5_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.24.8-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.24.9-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.0HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_msrc5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
flagd: Multiple Go Runtime CVEs Impact Security and Availability
ghsa·2026-01-05·CVSS 7.0
CVE-2025-47907 [HIGH] CWE-20 flagd: Multiple Go Runtime CVEs Impact Security and Availability
flagd: Multiple Go Runtime CVEs Impact Security and Availability
### Summary
In 2025, several vulnerabilities in the Go Standard Library were disclosed, impacting Go-based applications like flagd (the evaluation engine for OpenFeature). These CVEs primarily focus on Denial of Service (DoS) through resource exhaustion and Race Conditions in database handling.
| CVE ID | Impacted Package | Severity | Description & Impact on flagd |
| -- | -- | -- | -- |
| CVE-2025-47907 | database/sql | 7.0 (High) | Race Condition: Canceling a query during a Scan call can return data from the wrong query. Critical if flagd uses SQL-based sync providers (e.g., Postgres), potentially leading to incorrect flag configurations. |
| CVE-2025-61725 | net/mail | 7.5 (High) | DoS: Inefficient complexity in ParseAdd
OSV
flagd: Multiple Go Runtime CVEs Impact Security and Availability
osv·2026-01-05·CVSS 7.0
CVE-2025-47907 [HIGH] flagd: Multiple Go Runtime CVEs Impact Security and Availability
flagd: Multiple Go Runtime CVEs Impact Security and Availability
### Summary
In 2025, several vulnerabilities in the Go Standard Library were disclosed, impacting Go-based applications like flagd (the evaluation engine for OpenFeature). These CVEs primarily focus on Denial of Service (DoS) through resource exhaustion and Race Conditions in database handling.
| CVE ID | Impacted Package | Severity | Description & Impact on flagd |
| -- | -- | -- | -- |
| CVE-2025-47907 | database/sql | 7.0 (High) | Race Condition: Canceling a query during a Scan call can return data from the wrong query. Critical if flagd uses SQL-based sync providers (e.g., Postgres), potentially leading to incorrect flag configurations. |
| CVE-2025-61725 | net/mail | 7.5 (High) | DoS: Inefficient complexity in ParseAdd
GHSA
OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses
ghsa·2025-11-06·CVSS 4.3
[MEDIUM] CWE-1395 OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses
OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses
### Impact
Unauthenticated denial of service.
### Summary
When installing module packages from attacker-controlled sources, `tofu init` may use unbounded memory, cause high CPU usage, or crash when encountering maliciously-crafted TLS certificate chains or tar archives.
Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to `tofu init` failing to complete successfully. In the case of unbounded memory usage or high CPU usage, other processes running on the same computer as OpenTofu may also fail or have their performance degraded due to the depletion of shared system resources.
These vulnerabilities **do not** permit
OSV
OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses
osv·2025-11-06·CVSS 4.3
[MEDIUM] OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses
OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses
### Impact
Unauthenticated denial of service.
### Summary
When installing module packages from attacker-controlled sources, `tofu init` may use unbounded memory, cause high CPU usage, or crash when encountering maliciously-crafted TLS certificate chains or tar archives.
Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to `tofu init` failing to complete successfully. In the case of unbounded memory usage or high CPU usage, other processes running on the same computer as OpenTofu may also fail or have their performance degraded due to the depletion of shared system resources.
These vulnerabilities **do not** permit
GHSA
GHSA-frhw-mqj2-wxw2: Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the cer
ghsa_unreviewed·2025-10-30
CVE-2025-58187 [MEDIUM] CWE-407 GHSA-frhw-mqj2-wxw2: Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the cer
Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
OSV
Quadratic complexity when checking name constraints in crypto/x509
osv·2025-10-29
CVE-2025-58187 Quadratic complexity when checking name constraints in crypto/x509
Quadratic complexity when checking name constraints in crypto/x509
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.
This affects programs which validate arbitrary certificate chains.
OSV
CVE-2025-58187: Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the cer
osv·2025-10-29·CVSS 7.5
CVE-2025-58187 [HIGH] CVE-2025-58187: Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the cer
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
Red Hat
crypto/x509: Quadratic complexity when checking name constraints in crypto/x509
vendor_redhat·2025-10-29·CVSS 7.5
CVE-2025-58187 [HIGH] CWE-770 crypto/x509: Quadratic complexity when checking name constraints in crypto/x509
crypto/x509: Quadratic complexity when checking name constraints in crypto/x509
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
A potential denial of service flaw has been discovered in golang's crypto/x509 module. Due to the design of the name constraint checking algorithm, the processing time of some inputs scales non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and d
Microsoft
Quadratic complexity when checking name constraints in crypto/x509
vendor_msrc·2025-10-14·CVSS 5.3
CVE-2025-58187 [HIGH] Quadratic complexity when checking name constraints in crypto/x509
Quadratic complexity when checking name constraints in crypto/x509
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Debian
CVE-2025-58187: golang-1.15 - Due to the design of the name constraint checking algorithm, the processing time...
vendor_debian·2025·CVSS 7.5
CVE-2025-58187 [HIGH] CVE-2025-58187: golang-1.15 - Due to the design of the name constraint checking algorithm, the processing time...
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-58187 crypto/x509: Quadratic complexity when checking name constraints in crypto/x509
bugzilla·2025-10-29·CVSS 7.5
CVE-2025-58187 [HIGH] CVE-2025-58187 crypto/x509: Quadratic complexity when checking name constraints in crypto/x509
CVE-2025-58187 crypto/x509: Quadratic complexity when checking name constraints in crypto/x509
Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
Wiz
GHSA-4c5f-9mj4-m247 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2025-47907 [HIGH] GHSA-4c5f-9mj4-m247 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-4c5f-9mj4-m247 :
vulnerability analysis and mitigation
## Summary
In 2025, several vulnerabilities in the Go Standard Library were disclosed, impacting Go-based applications like flagd (the evaluation engine for OpenFeature). These CVEs primarily focus on Denial of Service (DoS) through resource exhaustion and Race Conditions in database handling.
CVE-2025-47907
database/sql
7.0 (High)
Race Condition: Canceling a query during a Scan call can return data from the wrong query. Critical if flagd uses SQL-based sync providers (e.g., Postgres), potentially leading to incorrect flag configurations.
CVE-2025-61725
net/mail
7.5 (High)
DoS: Inefficient complexity in ParseAddress. Attackers can provide crafted email strings with large domain literals to exhaust CPU if flagd parse
2025-10-29
Published