CVE-2024-45341: 
cAdvisor vulnerability analysis and mitigation

A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. This vulnerability, identified as CVE-2024-45341, was discovered in January 2025 and affects the crypto/x509 package of the Golang standard library. The issue specifically impacts private PKIs that use URIs, as certificates containing URIs are not permitted in the web PKI (NVD, Go Issue).

The vulnerability exists in the certificate validation process where IPv6 addresses containing zone IDs in URIs could bypass URI name constraints in the certificate chain. The issue has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability only affects users of private PKIs which make use of URIs in their certificates. Since certificates containing URIs are not permitted in the web PKI, the impact is limited to private certificate deployments (Debian Tracker).

The issue has been fixed in Go versions 1.22.11, 1.23.5, and 1.24.0-rc2. Users are advised to upgrade to these versions or later to address the vulnerability. The fixes were implemented through commits in the Go codebase (Go Dev).

The vulnerability was responsibly disclosed by Juho Forsén of Mattermost. The Go team promptly addressed the issue by releasing security updates across multiple versions of the language (Go Dev).