[vulndb] data/reports: add GO-2025-4175
1 view
Skip to first unread message
Roland Shoemaker (Gerrit)
Dec 2, 2025, 3:40:27 PM (12 hours ago) Dec 2
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Roland Shoemaker has uploaded the change for review![]( "Open in Gerrit")
Commit message
data/reports: add GO-2025-4175
- data/reports/GO-2025-4175.yaml
Updates golang/vulndb#4175
Change-Id: Ieaedccb020cc67edfb4f444d2267c032907b96e6
Change diff
diff --git a/data/cve/v5/GO-2025-4175.json b/data/cve/v5/GO-2025-4175.json
new file mode 100644
index 0000000..53727cd
--- /dev/null
+++ b/data/cve/v5/GO-2025-4175.json
@@ -0,0 +1,73 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2025-61727"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "title": "Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "Go standard library",
+ "product": "crypto/x509",
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "crypto/x509",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.24.11",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.25.0",
+ "lessThan": "1.25.5",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Certificate.Verify"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-295: Improper Certificate Validation"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/723900"
+ },
+ {
+ "url": "https://go.dev/issue/76442"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
+ },
+ {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4175"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4175.json b/data/osv/GO-2025-4175.json
new file mode 100644
index 0000000..1e7477c
--- /dev/null
+++ b/data/osv/GO-2025-4175.json
@@ -0,0 +1,66 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4175",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-61727"
+ ],
+ "summary": "Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509",
+ "details": "An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.",
+ "affected": [
+ {
+ "package": {
+ "name": "stdlib",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.24.11"
+ },
+ {
+ "introduced": "1.25.0"
+ },
+ {
+ "fixed": "1.25.5"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "crypto/x509",
+ "symbols": [
+ "Certificate.Verify"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "FIX",
+ "url": "https://go.dev/cl/723900"
+ },
+ {
+ "type": "REPORT",
+ "url": "https://go.dev/issue/76442"
+ },
+ {
+ "type": "WEB",
+ "url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4175",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-4175.yaml b/data/reports/GO-2025-4175.yaml
new file mode 100644
index 0000000..f9145d2
--- /dev/null
+++ b/data/reports/GO-2025-4175.yaml
@@ -0,0 +1,31 @@
+id: GO-2025-4175
+modules:
+ - module: std
+ versions:
+ - fixed: 1.24.11
+ - introduced: 1.25.0
+ - fixed: 1.25.5
+ vulnerable_at: 1.25.4
+ packages:
+ - package: crypto/x509
+ symbols:
+ - Certificate.Verify
+summary: |-
+ Improper application of excluded DNS name constraints when verifying wildcard
+ names in crypto/x509
+description: |-
+ An excluded subdomain constraint in a certificate chain does not restrict the
+ usage of wildcard SANs in the leaf certificate. For example a constraint that
+ excludes the subdomain test.example.com does not prevent a leaf certificate from
+ claiming the SAN *.example.com.
+references:
+ - fix: https://go.dev/cl/723900
+ - report: https://go.dev/issue/76442
+ - web: https://groups.google.com/g/golang-announce/c/8FJoBkPddm4
+cve_metadata:
+ id: CVE-2025-61727
+ cwe: 'CWE-295: Improper Certificate Validation'
+source:
+ id: go-security-team
+ created: 2025-12-02T12:29:34.303548-08:00
+review_status: REVIEWED
Change information
Files:
- A data/cve/v5/GO-2025-4175.json
- A data/osv/GO-2025-4175.json
- A data/reports/GO-2025-4175.yaml
Change size: M
Delta: 3 files changed, 170 insertions(+), 0 deletions(-)
Related details
Attention set is empty
Submit Requirements:
Code-Review
LUCI-Pass
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Roland Shoemaker (Gerrit)
Dec 2, 2025, 3:41:00 PM (12 hours ago) Dec 2
to goph...@pubsubhelper.golang.org, Neal Patel, Nicholas Husin, golang-co...@googlegroups.com
Attention needed from Neal Patel and Nicholas Husin
Roland Shoemaker voted![]( "Open in Gerrit")
| Auto-Submit | +1 |
| Commit-Queue | +1 |
Related details
Attention is currently required from:
- Neal Patel
- Nicholas Husin
Submit Requirements:
Code-Review
LUCI-Pass
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Nicholas Husin (Gerrit)
Dec 2, 2025, 3:42:11 PM (12 hours ago) Dec 2
to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Neal Patel, golang-co...@googlegroups.com
Attention needed from Neal Patel and Roland Shoemaker
Nicholas Husin voted Code-Review+2![]( "Open in Gerrit")
Attention is currently required from:
- Neal Patel
- Roland Shoemaker
Submit Requirements:
Code-Review
LUCI-Pass
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Nicholas Husin (Gerrit)
Dec 2, 2025, 3:42:13 PM (12 hours ago) Dec 2
to Roland Shoemaker, goph...@pubsubhelper.golang.org, Nicholas Husin, Go LUCI, Neal Patel, golang-co...@googlegroups.com
Attention needed from Neal Patel and Roland Shoemaker
Nicholas Husin voted Code-Review+1![]( "Open in Gerrit")
| Code-Review | +1 |
Related details
Attention is currently required from:
- Neal Patel
- Roland Shoemaker
Submit Requirements:
Code-Review
LUCI-Pass
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gopher Robot (Gerrit)
Dec 2, 2025, 3:56:02 PM (12 hours ago) Dec 2
to Roland Shoemaker, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Go LUCI, Nicholas Husin, Nicholas Husin, Neal Patel, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
data/reports: add GO-2025-4175
- data/reports/GO-2025-4175.yaml
Updates golang/vulndb#4175
Change-Id: Ieaedccb020cc67edfb4f444d2267c032907b96e6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/726060
Auto-Submit: Roland Shoemaker <rol...@golang.org>
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-by: Nicholas Husin <n...@golang.org>
LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>
Files:
- A data/cve/v5/GO-2025-4175.json
- A data/osv/GO-2025-4175.json
- A data/reports/GO-2025-4175.yaml
Change size: M
Delta: 3 files changed, 170 insertions(+), 0 deletions(-)
Branch: refs/heads/master
Submit Requirements:
Code-Review: +1 by Nicholas Husin, +2 by Nicholas Husin
TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages