tls-extra does not check the Basic Constraints extension of a certificate in certificate chain processing. Any certificate is treated as a CA certificate. As a consequence, anyone who has a valid certificate can use it to sign another one (with an arbitrary subject DN/domain name embedded into it) and have it accepted by tls. This allows MITM attacks on TLS connections.
{ "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export", "home": "https://haskell.github.io/security-advisories", "repository": "https://github.com/haskell/security-advisories" }