{"id":"GO-2025-4007","summary":"Quadratic complexity when checking name constraints in crypto/x509","details":"Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.\n\nThis affects programs which validate arbitrary certificate chains.","aliases":["BIT-golang-2025-58187","CVE-2025-58187"],"modified":"2026-05-15T10:59:05.127045623Z","published":"2025-10-29T21:49:50Z","related":["CGA-r9wq-rhrr-2p5g","RHSA-2026:7291","RHSA-2026:7385"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2025-4007","review_status":"REVIEWED"},"references":[{"type":"REPORT","url":"https://go.dev/issue/75681"},{"type":"FIX","url":"https://go.dev/cl/709854"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.24.9"},{"introduced":"1.25.0"},{"fixed":"1.25.3"}]}],"ecosystem_specific":{"imports":[{"path":"crypto/x509","symbols":["CertPool.AppendCertsFromPEM","Certificate.CheckCRLSignature","Certificate.CheckSignature","Certificate.CheckSignatureFrom","Certificate.CreateCRL","Certificate.Verify","CertificateRequest.CheckSignature","CreateCertificate","CreateCertificateRequest","CreateRevocationList","DecryptPEMBlock","EncryptPEMBlock","MarshalECPrivateKey","MarshalPKCS1PrivateKey","MarshalPKCS1PublicKey","MarshalPKCS8PrivateKey","MarshalPKIXPublicKey","ParseCRL","ParseCertificate","ParseCertificateRequest","ParseCertificates","ParseDERCRL","ParseECPrivateKey","ParsePKCS1PrivateKey","ParsePKCS1PublicKey","ParsePKCS8PrivateKey","ParsePKIXPublicKey","ParseRevocationList","RevocationList.CheckSignatureFrom","SetFallbackRoots","SystemCertPool","domainToReverseLabels","parseSANExtension"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-4007.json"}}],"schema_version":"1.7.5","credits":[{"name":"Jakub Ciolek"}]}