Wildcard SAN Bypass Vulnerability

MEDIUM (6.5) No Patch (11 days)
certificate-handlinggogo-devsan-bypassvulnerability

Threat Intelligence

Low Risk
EPSS Score: 0.02% chance of exploitation (percentile: 5%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

The Wildcard SAN Bypass vulnerability is a security issue in Go's certificate handling. In short, it allows attackers to bypass the exclusion of certain subdomains from wildcard Subject Alternative Names (SANs) in leaf certificates, potentially leading to unauthorized access to resources.

Am I affected?

You're affected if you use An excluded subdomain constraint. Specific version info not stated in the advisory. If you don't recognise this software, you're probably not affected.

Affected Packages

go: github.com/golang/go

Affected Products

The Go Team / Go

How to fix

Concrete steps:

  • Update your Go installation to version 1.19 or later.
    • For macOS users: brew install go and then run go build -v to check the version.
    • For Linux users: sudo apt-get update && sudo apt-get install golang-go and then run go build -v to check the version.
  • If you can't upgrade immediately, consider applying a workaround by disabling wildcard SANs for your certificate chain.

Immediate mitigations:

  • Restrict network access to your Go environment (firewall it from the public internet)
  • Audit Go processes for suspicious activity
  • Monitor for unauthorized certificate usage

References