KrakenD EE 2.12.2 update released
by Albert Lombarte
The release of KrakenD Enterprise 2.12.2 upgrades the Go runtime to version 1.25.5, directly addressing two CVEs discovered in Go’s TLS certificate handling:
- CVE-2025-61727: An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example, a constraint that excludes
test.example.comdoes not prevent a leaf certificate from claiming the SAN*.example.com. Possible Impact: Attackers could bypass subdomain exclusion policies in certificate chains, potentially allowing unauthorized certificate usage. - CVE-2025-61729: Within
HostnameError.Error(), there is no limit to the number of hosts printed when constructing an error string. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Possible Impact: A malicious certificate provided by an attacker can result in excessive CPU and memory consumption, potentially causing denial-of-service conditions.
Recommendation: While exploiting these vulnerabilities is very hard, all users should upgrade. These vulnerabilities affect any KrakenD deployment that processes TLS certificates, especially those in environments where untrusted or malicious certificates could be encountered.
🚀 Summary of changes for EEv2.12.2 (patch)
Recommended security upgrade for TLS users
- Added a more verbose error logging for the persistent quota connector
- Prevent the wildcard to remove trailing slashes of the final url to consume upstream
- Upgraded Go to 1.25.5 addressing CVE-2025-61727 and CVE-2025-61729
Upgrading to the latest version is always advised.
Categories:
Product UpdatesSecurity