GHSA-7JRQ-Q4PQ-RHM6

Vulnerability from github – Published: 2026-04-14 23:15 – Updated: 2026-04-14 23:15
VLAI?
Summary
Oxia's TLS CA certificate chain validation fails with multi-certificate PEM bundles
Details

Summary

The trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates (e.g., intermediate + root CA), only the first certificate is loaded. This silently breaks certificate chain validation for mTLS.

Impact

In deployments using mTLS with certificate chains (intermediate CA + root CA bundles), legitimate clients with properly chained certificates are rejected with x509: certificate signed by unknown authority. This degrades the security posture by making mTLS unusable with standard CA chain configurations, potentially forcing operators to disable client certificate verification.

All versions using TLS with trustedCaFile configuration are affected.

Details

In common/security/tls.go, the trustedCertPool() method calls pem.Decode() only once, processing a single PEM block. The remaining bytes (containing additional certificates) are silently discarded. Additionally, the error return from pem.Decode is ignored, so a corrupted CA file results in an empty certificate pool without any error.

Patches

Fixed by iterating over all PEM blocks in the file, parsing each CERTIFICATE block, and returning an error if no valid certificates are found.

Workarounds

Use CA files containing only a single certificate (the direct issuer of client certificates, not a chain).

Severity ?
8.0 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.16.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/oxia-db/oxia"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.16.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T23:15:16Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `trustedCertPool()` function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates (e.g., intermediate + root CA), only the first certificate is loaded. This silently breaks certificate chain validation for mTLS.\n\n### Impact\nIn deployments using mTLS with certificate chains (intermediate CA + root CA bundles), legitimate clients with properly chained certificates are rejected with `x509: certificate signed by unknown authority`. This degrades the security posture by making mTLS unusable with standard CA chain configurations, potentially forcing operators to disable client certificate verification.\n\nAll versions using TLS with `trustedCaFile` configuration are affected.\n\n### Details\nIn `common/security/tls.go`, the `trustedCertPool()` method calls `pem.Decode()` only once, processing a single PEM block. The remaining bytes (containing additional certificates) are silently discarded. Additionally, the error return from `pem.Decode` is ignored, so a corrupted CA file results in an empty certificate pool without any error.\n\n### Patches\nFixed by iterating over all PEM blocks in the file, parsing each CERTIFICATE block, and returning an error if no valid certificates are found.\n\n### Workarounds\nUse CA files containing only a single certificate (the direct issuer of client certificates, not a chain).",
  "id": "GHSA-7jrq-q4pq-rhm6",
  "modified": "2026-04-14T23:15:16Z",
  "published": "2026-04-14T23:15:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/oxia-db/oxia/security/advisories/GHSA-7jrq-q4pq-rhm6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/oxia-db/oxia"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Oxia\u0027s TLS CA certificate chain validation fails with multi-certificate PEM bundles"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.