logo

Database

Insecure digital certificates In rustls-webpki

Description

webpki: Name constraints were accepted for certificates asserting a wildcard name Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.

This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-xgp8-3hg3-c2mh2. GCVE-GHSA-xgp8-3hg3-c2mh

References

1. https://github.com/rustls/webpki/security/advisories/GHSA-xgp8-3hg3-c2mh2. https://rustsec.org/advisories/RUSTSEC-2026-0099.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.