Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.2
webpki: Name constraints for URI names were incorrectly accepted
RUSTSEC-2026-0098
GHSA-965h-392x-2mh5
Summary
Name constraints for URI names were ignored and therefore accepted.
Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented. URI name constraints are now rejected unconditionally.
Since name constraints are restrictions on otherwis...
What to do
- Update ctz rustls-webpki to version 0.104.0-alpha.6.
- Update rustls-webpki to version 0.103.12.
- Update rustls-webpki to version 0.104.0-alpha.6.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| crates.io | ctz | rustls-webpki |
>= 0.104.0-alpha.1, < 0.104.0-alpha.6 Fix: upgrade to 0.104.0-alpha.6
|
| rust | – | rustls-webpki |
>= 0.101.0, < 0.103.12 >= 0.104.0-alpha.1, < 0.104.0-alpha.6 Fix: upgrade to 0.103.12
|
Original title
webpki: Name constraints for URI names were incorrectly accepted
Original description
Name constraints for URI names were ignored and therefore accepted.
Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented. URI name constraints are now rejected unconditionally.
Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented. URI name constraints are now rejected unconditionally.
Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
Vulnerability type
CWE-295
Improper Certificate Validation
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 15 Apr 2026