GHSA-mjcp-gpgx-ggcg: OpenTofu incorrectly validates excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs

December 9, 2025

When OpenTofu is acting as a TLS client authenticating a certificate chain provided by a TLS server, an excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate.

For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

References

github.com/advisories/GHSA-mjcp-gpgx-ggcg
github.com/opentofu/opentofu
github.com/opentofu/opentofu/issues/3546
github.com/opentofu/opentofu/releases/tag/v1.10.8
github.com/opentofu/opentofu/security/advisories/GHSA-mjcp-gpgx-ggcg
nvd.nist.gov/vuln/detail/CVE-2025-61727

Code Behaviors & Features

Detect and mitigate GHSA-mjcp-gpgx-ggcg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →