CVE-2025-61727

Public on 2025-12-03
Modified on 2025-12-08
Description
crypto/x509: excluded subdomain constraint does not restrict wildcard SANs

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
4.8
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core amazon-cloudwatch-agent 2026-01-05 ALAS2-2025-3120 Fixed
Amazon Linux 2023 amazon-cloudwatch-agent 2026-01-07 ALAS2023-2025-1358 Fixed
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra amazon-ecr-credential-helper 2026-01-05 ALAS2NITRO-ENCLAVES-2025-079 Fixed
Amazon Linux 2 - Docker Extra amazon-ecr-credential-helper 2026-01-05 ALAS2DOCKER-2025-087 Fixed
Amazon Linux 2 - Ecs Extra amazon-ecr-credential-helper 2026-01-05 ALAS2ECS-2025-087 Fixed
Amazon Linux 2023 amazon-ecr-credential-helper 2026-01-07 ALAS2023-2025-1327 Fixed
Amazon Linux 2023 amazon-ssm-agent 2026-01-07 ALAS2023-2025-1359 Fixed
Amazon Linux 2 - Core cni-plugins 2026-01-05 ALAS2-2025-3098 Fixed
Amazon Linux 2023 cni-plugins 2026-01-07 ALAS2023-2025-1321 Fixed
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra containerd 2026-01-05 ALAS2NITRO-ENCLAVES-2025-083 Fixed
Amazon Linux 2 - Docker Extra containerd 2026-01-05 ALAS2DOCKER-2025-093 Fixed
Amazon Linux 2 - Ecs Extra containerd 2026-01-05 ALAS2ECS-2025-091 Fixed
Amazon Linux 2023 containerd 2026-01-07 ALAS2023-2025-1333 Fixed
Amazon Linux 2 - Core cri-tools 2026-01-05 ALAS2-2025-3097 Fixed
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra docker 2026-01-05 ALAS2NITRO-ENCLAVES-2025-082 Fixed
Amazon Linux 2 - Docker Extra docker 2026-01-05 ALAS2DOCKER-2025-089 Fixed
Amazon Linux 2 - Ecs Extra docker 2026-01-05 ALAS2ECS-2025-090 Fixed
Amazon Linux 2023 docker 2026-01-07 ALAS2023-2025-1329 Fixed
Amazon Linux 2 - Ecs Extra ecs-init 2026-01-05 ALAS2ECS-2025-088 Fixed
Amazon Linux 2023 ecs-init 2026-01-07 ALAS2023-2025-1341 Fixed
Amazon Linux 2 - Core golang 2026-01-05 ALAS2-2025-3105 Fixed
Amazon Linux 2023 golang 2026-01-07 ALAS2023-2025-1323 Fixed
Amazon Linux 2 - Core golang-github-cpuguy83-go-md2man 2026-01-05 ALAS2-2025-3118 Fixed
Amazon Linux 2 - Core golist 2026-01-05 ALAS2-2025-3119 Fixed
Amazon Linux 2023 libcap 2026-01-07 ALAS2023-2025-1322 Fixed
Amazon Linux 2 - Core nerdctl 2026-01-05 ALAS2-2025-3100 Fixed
Amazon Linux 2023 nerdctl 2026-01-07 ALAS2023-2025-1326 Fixed
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra oci-add-hooks 2026-01-05 ALAS2NITRO-ENCLAVES-2025-080 Fixed
Amazon Linux 2 - Docker Extra oci-add-hooks 2026-01-05 ALAS2DOCKER-2025-091 Fixed
Amazon Linux 2 - Ecs Extra oci-add-hooks 2026-01-05 ALAS2ECS-2025-086 Fixed
Amazon Linux 2023 oci-add-hooks 2026-01-07 ALAS2023-2025-1335 Fixed
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra runc 2026-01-05 ALAS2NITRO-ENCLAVES-2025-081 Fixed
Amazon Linux 2 - Docker Extra runc 2026-01-05 ALAS2DOCKER-2025-088 Fixed
Amazon Linux 2 - Ecs Extra runc 2026-01-05 ALAS2ECS-2025-089 Fixed
Amazon Linux 2023 runc 2026-01-07 ALAS2023-2025-1328 Fixed
Amazon Linux 2 - Docker Extra runfinch-finch 2026-01-05 ALAS2DOCKER-2025-092 Fixed
Amazon Linux 2023 runfinch-finch 2026-01-07 ALAS2023-2025-1336 Fixed
Amazon Linux 2 - Docker Extra soci-snapshotter 2026-01-05 ALAS2DOCKER-2025-090 Fixed
Amazon Linux 2023 soci-snapshotter 2026-01-07 ALAS2023-2025-1334 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2025-61727 Mitre: CVE-2025-61727