🟠 High | Source: Microsoft Security Response Center
CVE-2025-61727 is a flaw in Go’s crypto/x509 package where excluded DNS name constraints are not correctly applied when validating wildcard certificate names. This means a TLS certificate that should be rejected due to name constraint violations may instead be accepted, potentially allowing an attacker to impersonate restricted domains. Services or applications built with affected versions of Go that rely on certificate validation for trust decisions are exposed to man-in-the-middle risks.
Security Architect’s Take: Audit any Azure-hosted workloads or internal tooling built with Go to identify dependencies on crypto/x509, and prioritise upgrading to a patched Go runtime. Pay particular attention to services performing mTLS or certificate-based authentication where name constraints are used to enforce trust boundaries.
Original advisory: CVE-2025-61727 Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509