DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-PWJX-QHCG-RVJ4: GHSA-pwjx-qhcg-rvj4: Certificate Revocation Bypass via Iterator Exhaustion in rustls-webpki

#security #cve #cybersecurity #ghsa

GHSA-pwjx-qhcg-rvj4: Certificate Revocation Bypass via Iterator Exhaustion in rustls-webpki

Vulnerability ID: GHSA-PWJX-QHCG-RVJ4
CVSS Score: 4.4
Published: 2026-03-20

The rustls-webpki crate contains a logic flaw in its certificate revocation enforcement mechanism. Due to the improper reuse of one-shot DER iterators during Certificate Revocation List (CRL) processing, the verifier fails to match legitimate Distribution Points (DPs) to Issuing Distribution Points (IDPs), potentially leading to the acceptance of revoked certificates under permissive configurations.

TL;DR

A logic bug in rustls-webpki's CRL processing allows revoked certificates to be accepted as valid. The vulnerability stems from iterator exhaustion when parsing multiple URIs in Distribution Points and Issuing Distribution Points.

⚠️ Exploit Status: POC

Technical Details

  • CVSS Score: 4.4 (Medium)
  • Attack Vector: Network
  • CWE ID: CWE-295
  • Exploit Status: Proof of Concept
  • Impact: High Integrity Loss
  • KEV Status: Not Listed

Affected Systems

  • rustls-webpki
  • rustls-webpki: >= 0.101.0, < 0.103.10 (Fixed in: 0.103.10)
  • rustls-webpki: >= 0.104.0-alpha.1, < 0.104.0-alpha.5 (Fixed in: 0.104.0-alpha.5)

Code Analysis

Commit: e459078

Pre-fix state containing the vulnerable iterator exhaustion logic.

Mitigation Strategies

  • Update rustls-webpki to a patched version
  • Configure UnknownStatusPolicy::Deny to prevent bypass

Remediation Steps:

  1. Identify projects depending on vulnerable versions of rustls-webpki using cargo tree.
  2. Update Cargo.toml to require rustls-webpki >= 0.103.10.
  3. Regenerate Cargo.lock and recompile the application.
  4. If updating is not immediately possible, modify the TLS configuration to strictly enforce revocation by setting UnknownStatusPolicy to Deny.

References

Read the full report for GHSA-PWJX-QHCG-RVJ4 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)