← back
CVE-2024-45341

Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509

CVSS 6.1 MEDIUMEPSS 0.5%
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.1EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
28 Jan 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
Go standard library · crypto/x509

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://go.dev/cl/643099https://go.dev/issue/71156https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJhttps://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJhttps://pkg.go.dev/vuln/GO-2025-3373https://security.netapp.com/advisory/ntap-20250221-0004/