News KrakenD CE 2.13.7 and EE 2.13.5 update released

CVE-2026-27145 Medium Medium Impact

crypto/x509: Denial of Service via Quadratic Complexity in Hostname Verification

Exploitable under specific conditions

This CVE can affect KrakenD under specific conditions. Review the affected versions below and upgrade if your deployment is exposed.

KrakenD validates TLS certificates when connecting to HTTPS backends. A backend serving a TLS certificate with a large DNS SAN list can cause excessive CPU usage during hostname verification. Deployments connecting to external or untrusted HTTPS backends are most exposed.

Component

Go standard library (crypto/x509)

Disclosed

Jun 3, 2026

Description

Go’s crypto/x509 package called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries without pre-splitting the candidate hostname. This caused strings.Split(host, ".") to execute repeatedly, making hostname verification cost scale quadratically with the number of SAN entries multiplied by the hostname’s label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurs even for untrusted certificates, enabling denial of service through excessive CPU consumption.

Version summary

Community Edition

2.13.7

addresses this CVE

Affected CE versions

>= 2.0, < 2.13.7

Enterprise Edition

2.13.5

addresses this CVE

Affected EE versions

>= 2.0, < 2.13.5

Upgrade to the addressed version or later to remediate this vulnerability.

References

View CVE-2026-27145 on Go Issue Tracker

Stay up to date with KrakenD releases and important updates