GO-2025-4007
- Source
- https://pkg.go.dev/vuln/GO-2025-4007
- Import Source
- https://vuln.go.dev/ID/GO-2025-4007.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2025-4007
- Aliases
-
- BIT-golang-2025-58187
- CVE-2025-58187
- Published
- 2025-10-29T21:49:50Z
- Modified
- 2025-11-06T13:59:40.586079Z
- Summary
- Quadratic complexity when checking name constraints in crypto/x509
- Details
-
Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate.
This affects programs which validate arbitrary certificate chains.
- Database specific
{ "url": "https://pkg.go.dev/vuln/GO-2025-4007", "review_status": "REVIEWED" }- References
- Credits
-
-
- Jakub Ciolek
-
Affected packages
Go / stdlib
Package
- Name
- stdlib
- View open source insights on deps.dev
- Purl
- pkg:golang/stdlib
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.24.9Introduced1.25.0Fixed1.25.3
Ecosystem specific
{
"imports": [
{
"path": "crypto/x509",
"symbols": [
"CertPool.AppendCertsFromPEM",
"Certificate.CheckCRLSignature",
"Certificate.CheckSignature",
"Certificate.CheckSignatureFrom",
"Certificate.CreateCRL",
"Certificate.Verify",
"CertificateRequest.CheckSignature",
"CreateCertificate",
"CreateCertificateRequest",
"CreateRevocationList",
"DecryptPEMBlock",
"EncryptPEMBlock",
"MarshalECPrivateKey",
"MarshalPKCS1PrivateKey",
"MarshalPKCS1PublicKey",
"MarshalPKCS8PrivateKey",
"MarshalPKIXPublicKey",
"ParseCRL",
"ParseCertificate",
"ParseCertificateRequest",
"ParseCertificates",
"ParseDERCRL",
"ParseECPrivateKey",
"ParsePKCS1PrivateKey",
"ParsePKCS1PublicKey",
"ParsePKCS8PrivateKey",
"ParsePKIXPublicKey",
"ParseRevocationList",
"RevocationList.CheckSignatureFrom",
"SetFallbackRoots",
"SystemCertPool",
"domainToReverseLabels",
"parseSANExtension"
]
}
]
}