CVE-2025-61727 — Improper Certificate Validation in Standard Library Crypto X509
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 98.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 3
Latest updateApr 16
Description
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5
Affected Packages2 packages
Patches
🔴Vulnerability Details
5CVEList▶
Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509↗2025-12-03
OSV▶
CVE-2025-61727: An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate↗2025-12-03
GHSA▶
GHSA-5mh9-3jwc-rp59: An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate↗2025-12-03
OSV▶
Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509↗2025-12-02
📋Vendor Advisories
3💬Community
1Bugzilla▶
CVE-2025-61727 golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs↗2025-12-03