Description
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
References (4)
Core 4
Core References
Patch
https://go.dev/cl/723900
Issue Tracking
https://go.dev/issue/76442
Mailing List, Release Notes
https://groups.google.com/g/golang-announce/c/8FJoBkPddm4
Vendor Advisory
https://pkg.go.dev/vuln/GO-2025-4175
Scores
CVSS v3
6.5
EPSS
0.0027
EPSS Percentile
18.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-295
Status
published
Products (1)
golang/go
< 1.24.11
Published
Dec 03, 2025
Tracked Since
Feb 18, 2026