CVE-2025-61727

MEDIUM severity · CVSS 6.5 · CWE-295

6.5CVSS MEDIUM

Summary

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactLow

Integrity impactLow

Availability impactNone

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected products we track (1)

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Official patch: https://go.dev/cl/723900 ↗

Additional information

NVD record
https://go.dev/cl/723900Patch
https://pkg.go.dev/vuln/GO-2025-4175Advisory
https://go.dev/issue/76442
https://groups.google.com/g/golang-announce/c/8FJoBkPddm4