CVE-2025-61727
published 2025-12-03CVE-2025-61727: An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that…
PriorityP432medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.27%
18.5th percentile
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cryptography.io | cryptography | >= 0 < 46.0.6 | 46.0.6 |
| debian | golang-1.15 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| debian | golang-1.19 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| debian | golang-1.24 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| debian | golang-1.25 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| github.com | opentofu_opentofu | >= 0 < 1.10.8 | 1.10.8 |
| go_standard_library | crypto_x509 | < 1.24.11 | 1.24.11 |
| go_standard_library | crypto_x509 | >= 1.25.0 < 1.25.5 | 1.25.5 |
| golang | go | < 1.24.11 | 1.24.11 |
| golang | go | >= 1.25 < 1.25.5 | 1.25.5 |
| msrc | azl3_gcc_13.2.0-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.12-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.25.5-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.25.6-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.25.7-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.25.8-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.26.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_gcc_11.2.0-9_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.18.8-10_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.22.7-5_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.24.11-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.24.12-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.24.13-1_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
ghsa6.5MEDIUM
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
vendor_msrc·2025-12-09·CVSS 6.5
CVE-2025-61727 [MEDIUM] Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Red Hat
golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs
vendor_redhat·2025-12-03·CVSS 6.5
CVE-2025-61727 [MEDIUM] CWE-295 golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs
golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
A flaw was found in the crypto/x509 package in the Go standard library. This vulnerability allows a certificate validation bypass via an excluded subdomain constraint in a certificated chain as it does not restrict the usage of wildcard SANs in the leaf certificate.
Statement: To exploit this issue, an attacker needs to obtain a leaf certificate with a wildcard SAN (e.g., *.example.com) and the legitimate certificate policy must contain an e
Debian
CVE-2025-61727: golang-1.15 - An excluded subdomain constraint in a certificate chain does not restrict the us...
vendor_debian·2025·CVSS 6.5
CVE-2025-61727 [MEDIUM] CVE-2025-61727: golang-1.15 - An excluded subdomain constraint in a certificate chain does not restrict the us...
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
Scope: local
bullseye: open
GHSA
webpki: Name constraints were accepted for certificates asserting a wildcard name
ghsa·2026-04-16·CVSS 6.5
CVE-2025-61727 [MEDIUM] CWE-295 webpki: Name constraints were accepted for certificates asserting a wildcard name
webpki: Name constraints were accepted for certificates asserting a wildcard name
Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.
This was incorrect because, given a name constraint of `accept.example.com`, `*.example.com` could feasibly allow a name of `reject.example.com` which is outside the constraint.
This is very similar to [CVE-2025-61727](https://go.dev/issue/76442).
Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
OSV
cryptography has incomplete DNS name constraint enforcement on peer names
osv·2026-03-27·CVSS 6.5
CVE-2026-34073 [MEDIUM] cryptography has incomplete DNS name constraint enforcement on peer names
cryptography has incomplete DNS name constraint enforcement on peer names
## Summary
In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named `bar.example.com` to validate against a wildcard leaf certificate for `*.example.com`, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for `bar.example.com`.
This behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, crypt
GHSA
cryptography has incomplete DNS name constraint enforcement on peer names
ghsa·2026-03-27·CVSS 6.5
CVE-2026-34073 [MEDIUM] CWE-295 cryptography has incomplete DNS name constraint enforcement on peer names
cryptography has incomplete DNS name constraint enforcement on peer names
## Summary
In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named `bar.example.com` to validate against a wildcard leaf certificate for `*.example.com`, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for `bar.example.com`.
This behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, crypt
OSV
OpenTofu incorrectly validates excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs
osv·2025-12-09·CVSS 6.5
[MEDIUM] OpenTofu incorrectly validates excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs
OpenTofu incorrectly validates excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs
When OpenTofu is acting as a TLS client authenticating a certificate chain provided by a TLS server, an excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard [SANs](https://en.wikipedia.org/wiki/Public_key_certificate#Subject_Alternative_Name_certificate) in the leaf certificate.
For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
### Details
When acting as a TLS client, OpenTofu relies on the implementation of TLS certificate verification from the standard library of the Go programming language.
The Go project has recently published th
GHSA
OpenTofu incorrectly validates excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs
ghsa·2025-12-09·CVSS 6.5
[MEDIUM] CWE-1395 OpenTofu incorrectly validates excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs
OpenTofu incorrectly validates excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs
When OpenTofu is acting as a TLS client authenticating a certificate chain provided by a TLS server, an excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard [SANs](https://en.wikipedia.org/wiki/Public_key_certificate#Subject_Alternative_Name_certificate) in the leaf certificate.
For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
### Details
When acting as a TLS client, OpenTofu relies on the implementation of TLS certificate verification from the standard library of the Go programming language.
The Go project has recently published th
OSV
CVE-2025-61727: An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate
osv·2025-12-03·CVSS 6.5
CVE-2025-61727 [MEDIUM] CVE-2025-61727: An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
GHSA
GHSA-5mh9-3jwc-rp59: An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate
ghsa_unreviewed·2025-12-03
CVE-2025-61727 [MEDIUM] GHSA-5mh9-3jwc-rp59: An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
OSV
Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
osv·2025-12-02
CVE-2025-61727 Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-61727 golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs
bugzilla·2025-12-03·CVSS 6.5
CVE-2025-61727 [MEDIUM] CVE-2025-61727 golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs
CVE-2025-61727 golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
Wiz
GHSA-mjcp-gpgx-ggcg Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
[MEDIUM] GHSA-mjcp-gpgx-ggcg Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-mjcp-gpgx-ggcg :
vulnerability analysis and mitigation
When OpenTofu is acting as a TLS client authenticating a certificate chain provided by a TLS server, an excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate.
For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
## Details
When acting as a TLS client, OpenTofu relies on the implementation of TLS certificate verification from the standard library of the Go programming language.
The Go project has recently published the following advisory for that which indirectly affects OpenTofu's behavior:
CVE-2025-61727 : Improper application of excluded DNS name constraints when
2025-12-03
Published