GHSA-pwjx-qhcg-rvj4: webpki has a certificate revocation enforcement bug

March 20, 2026

There is a certificate revocation enforcement bug in rustls-webpki CRL processing. when both the certificate CRL distribution point and the CRL issuing distribution point contain multiple URI names, IssuingDistributionPoint::authoritative_for() reuses one-shot DER iterators across nested comparisons. If the only matching URI pair appears later in both sequences, the implementation misses the match, treats the CRL as non-authoritative, and under UnknownStatusPolicy::Allow accepts a revoked certificate.

References

github.com/advisories/GHSA-pwjx-qhcg-rvj4
github.com/rustls/webpki
github.com/rustls/webpki/security/advisories/GHSA-pwjx-qhcg-rvj4

Code Behaviors & Features

Detect and mitigate GHSA-pwjx-qhcg-rvj4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →