{"id":"HSEC-2023-0006","summary":"x509-validation does not enforce pathLenConstraint","details":"# x509-validation does not enforce pathLenConstraint\n\n*x509-validation* prior to version 1.4.8 did not enforce the\npathLenConstraint value.  Constrained CAs could accidentally (or\ndeliberately) issue CAs below the maximum depth and\n*x509-validation* would accept certificates issued by the\nunauthorised intermediate CAs.\n","modified":"2025-11-14T18:15:35.439845Z","published":"2025-11-14T14:45:34Z","database_specific":{"repository":"https://github.com/haskell/security-advisories","osvs":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export","home":"https://github.com/haskell/security-advisories"},"references":[{"type":"FIX","url":"https://github.com/haskell-tls/hs-certificate/commit/06d15dbbc53739314760d8504ca764000770e46e"}],"affected":[{"package":{"name":"x509-validation","ecosystem":"Hackage","purl":"pkg:hackage/x509-validation"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.4.0"},{"fixed":"1.4.8"}]}],"versions":["1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7"],"database_specific":{"osv":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2023/HSEC-2023-0006.json","human_link":"https://github.com/haskell/security-advisories/tree/main/advisories/published/2023/HSEC-2023-0006.md","source":"https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0006.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"}]}],"schema_version":"1.7.3"}