CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-45341: Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509

Description

A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.

Classification

CVE ID: CVE-2024-45341

Affected Products

Vendor: Go standard library

Product: crypto/x509

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.25% (scored less or equal to compared to others)

EPSS Date: 2025-02-27 (when was this score calculated)

References

https://go.dev/cl/643099
https://go.dev/issue/71156
https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ
https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
https://pkg.go.dev/vuln/GO-2025-3373

Timeline

2025-01-29 10:30:06 UTC
CVE

Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509