Go crypto/x509 Package Denial-of-Service Vulnerability Due to Inefficient Policy Validation

A denial-of-service vulnerability has been identified in the Go programming language's standard library, specifically within the crypto/x509 package. This issue arises during the validation of certificate chains that utilize policies, particularly when the certificates contain a large number of policy mappings. The vulnerability can lead to significant slowdowns in the verification process, causing applications to become unresponsive. This problem only occurs with trusted certificate chains issued by a root CA in the VerifyOptions.Roots CertPool or the system certificate pool.

Impact

The vulnerability can cause applications to experience severe performance degradation, with certificate verification times increasing dramatically. This slowdown can disrupt normal application operations, especially in services that rely on timely certificate validation, such as mTLS or APIs that accept certificate chains.

Reproduction

The vulnerability can be reproduced by using the x509.Certificate.Verify method to validate a certificate chain that includes intermediates with large PolicyMappings extensions. This can be done by creating a certificate chain that is otherwise trusted but includes an intermediate certificate with a substantial number of policy mappings. Once the chain is built to a trusted root, the verification process will become excessively slow, demonstrating the vulnerability.

Remediation

Users can upgrade to Go versions 1.26.2 or 1.25.9, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.