| Details |
|
| Package |
rustls-webpki |
| Version |
0.103.10 |
| URL |
n/a |
| Patched Versions |
>=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 |
| Aliases |
GHSA-xgp8-3hg3-c2mh |
Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.
This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint.
This is very similar to CVE-2025-61727.
Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
This vulnerability is identified as GHSA-xgp8-3hg3-c2mh. Thank you to @1seal for the report.
rustls-webpki0.103.10Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.
This was incorrect because, given a name constraint of
accept.example.com,*.example.comcould feasibly allow a name ofreject.example.comwhich is outside the constraint.This is very similar to CVE-2025-61727.
Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
This vulnerability is identified as GHSA-xgp8-3hg3-c2mh. Thank you to @1seal for the report.