AI description
CVE-2025-61727 refers to a security vulnerability found in Go versions 1.25.5 and 1.24.11. Specifically, an excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example, a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. This vulnerability could allow a malicious actor to bypass intended security restrictions related to certificate validation. The issue is addressed in Go versions 1.25.5 and 1.24.11.
- Description
- An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
- Source
- security@golang.org
- NVD status
- Analyzed
- Products
- go
CVSS 3.1
- Type
- Secondary
- Base score
- 6.5
- Impact score
- 2.5
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
- nvd@nist.gov
- CWE-295
- Hype score
- Not currently trending
Critical Go sec update for #Mageia 9: MGASA-2025-0326 patches CVE-2025-61727 (DNS constraint bypass in crypto/x509) & CVE-2025-61729 (resource exhaustion DoS). Read more: ๐ https://t.co/84x7Bln9EY #Security https://t.co/RYWVRzshYk
@Cezar_H_Linux
13 Dec 2025
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
openSUSE releases Go 1.24.11 and 1.25.5 updates fixing crypto/x509 flaws CVE-2025-61727 and CVE-2025-61729 that can cause resource exhaustion and cert validation issues. #Vulnerability https://t.co/M1qJQmfpsR
@threatcluster
10 Dec 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
๐ Critical update for @openSUSE #Tumbleweed users: Advisory 2025:15796-1 patches two "important" severity vulnerabilities in go1.24 (CVE-2025-61727/61729). One allows resource exhaustion via malicious certs. Read more: ๐ https://t.co/12pjW0j7Vv #Security https://t.co/7E9
@Cezar_H_Linux
5 Dec 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-61727 An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes tโฆ https://t.co/JwusLOYNU5
@CVEnew
3 Dec 2025
163 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
๐ Go 1.25.5 and 1.24.11 are released! ๐ Security: Includes security fixes for crypto/x509 (CVE-2025-61729, CVE-2025-61727). ๐ฃ Announcement: https://t.co/zG9tCI47Nf โฌ๏ธ Download: https://t.co/d45S6FsIsY #golang https://t.co/w6hYSx5Upg
@golang
2 Dec 2025
27211 Impressions
102 Retweets
662 Likes
26 Bookmarks
12 Replies
10 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F2E6FD2A-A487-4099-B91D-2429F286AC6D",
"versionEndExcluding": "1.24.11"
},
{
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "EC1866EE-ABDC-4F74-9657-70A1241D49BD",
"versionEndExcluding": "1.25.5",
"versionStartIncluding": "1.25"
}
],
"operator": "OR"
}
]
}
]