rustls-webpki 0.103.13 Patches CRL Parsing Panic and URI Name Constraint Flaw

The rustls-webpki cryptographic library has issued version 0.103.13, patching two security vulnerabilities that could compromise certificate validation in Rust-based TLS implementations. The more severe issue—a reachable panic triggered during Certificate Revocation List (CRL) parsing—was disclosed under security advisory GHSA-82j2-j2ch-gfr8. Applications that process CRLs face potential denial-of-service exposure, while those that skip CRL validation remain unaffected by this specific flaw.

A second vulnerability involves incorrect processing of name constraints on URI names, where excluded subtrees were handled in a manner that inverted their intended logic. This defect traces back to an incomplete fix for a prior advisory (GHSA-965h-392x-2mh5), indicating that the original patch failed to cover all affected code paths. The inversion could allow certificates that should fail validation to be incorrectly accepted, weakening the integrity of certificate chain verification for affected deployments.

The rustls-webpki crate functions as a foundational component for Web PKI certificate validation across the Rust ecosystem. Organizations running Rust-based TLS implementations should immediately assess whether their applications handle CRLs or enforce URI-based name constraints. The update from 0.103.10 to 0.103.13 is now available through standard dependency management channels, and security teams should prioritize this patch based on their specific certificate validation configurations.