News KrakenD Partners with Digital Platform Solutions to Expand Reach in Pakistan

CVE-2025-61727 Medium · CVSS 5.3 Medium Impact

crypto/x509: Subdomain Exclusion Constraint Does Not Restrict Wildcard SANs

Exploitable under specific conditions

This CVE can affect KrakenD under specific conditions. Review the affected versions below and upgrade if your deployment is exposed.

KrakenD validates TLS certificates on backend connections. If a backend presents a certificate chain with subdomain exclusion constraints, the validation bypass could allow a certificate covering broader subdomains than intended to be accepted. This requires mTLS or strict backend certificate verification to be enabled.

Component

Go standard library (crypto/x509)

Disclosed

Dec 4, 2025

CVSS Score

5.3

Description

Go’s crypto/x509 certificate chain validator does not enforce excluded-subdomain constraints against wildcard Subject Alternative Names (SANs) in leaf certificates. A constraint excluding test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com, allowing a certificate that should be restricted to be accepted as valid for subdomains it was explicitly excluded from.

Version summary

Community Edition

2.12.1

addresses this CVE

Affected CE versions

>= 2.0, < 2.12.1

Enterprise Edition

2.12.2

addresses this CVE

Affected EE versions

>= 2.0, < 2.12.2

Upgrade to the addressed version or later to remediate this vulnerability.

References

View CVE-2025-61727 on NVD

Stay up to date with KrakenD releases and important updates