CVE-2024-45341
📋 TL;DR
This vulnerability allows certificates with IPv6 addresses containing zone IDs to incorrectly satisfy URI name constraints in certificate chains. This could enable attackers to bypass intended certificate validation in private PKIs that use URIs. Only organizations using private PKIs with URI certificates are affected, as web PKI prohibits URI certificates.
💻 Affected Systems
- Go programming language
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could impersonate legitimate services in private PKIs, leading to man-in-the-middle attacks, data interception, or unauthorized access to internal systems.
Likely Case
Limited impact affecting only specific private PKI implementations using URI certificates with IPv6 zone IDs, potentially allowing certificate validation bypass in controlled environments.
If Mitigated
Minimal impact if organizations follow web PKI standards (which prohibit URI certificates) or properly validate certificate chains.
🎯 Exploit Status
Exploitation requires control over certificate issuance in a private PKI and specific IPv6 zone ID configurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Go 1.23.2 and Go 1.22.11
Vendor Advisory: https://pkg.go.dev/vuln/GO-2025-3373
Restart Required: Yes
Instructions:
1. Update Go to version 1.23.2 or 1.22.11. 2. Recompile affected applications. 3. Restart services using the updated Go runtime.
🔧 Temporary Workarounds
Disable URI certificate validation
allConfigure applications to not validate URI name constraints if not required
Restrict IPv6 zone IDs
allImplement certificate policy prohibiting IPv6 addresses with zone IDs in URIs
🧯 If You Can't Patch
- Implement network segmentation to isolate systems using private PKI with URI certificates
- Enhance certificate monitoring and alerting for unusual certificate validation patterns
🔍 How to Verify
Check if Vulnerable:
Check Go version with 'go version'. If version is before 1.23.2 or 1.22.11 and application uses crypto/x509 with URI name constraints, it may be vulnerable.Check Version:
go versionVerify Fix Applied:
Verify Go version is 1.23.2 or 1.22.11 with 'go version'. Test certificate validation with IPv6 zone ID URIs.📡 Detection & Monitoring
Log Indicators:
- Certificate validation failures involving URI constraints
- Unusual certificate chain validations
Network Indicators:
- Unexpected certificate validation successes in private PKI
- Traffic to services using IPv6 addresses with zone IDs
SIEM Query:
Search for certificate validation events with URI constraints containing IPv6 addresses and zone IDs