GHSA-965h-392x-2mh5: webpki: Name constraints for URI names were incorrectly accepted

April 16, 2026

Name constraints for URI names were ignored and therefore accepted.

Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented. URI name constraints are now rejected unconditionally.

Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.

References

github.com/advisories/GHSA-965h-392x-2mh5
github.com/rustls/webpki
github.com/rustls/webpki/security/advisories/GHSA-965h-392x-2mh5
rustsec.org/advisories/RUSTSEC-2026-0098.html

Code Behaviors & Features

Detect and mitigate GHSA-965h-392x-2mh5 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →