diff --git a/library/x509_crt.c b/library/x509_crt.c
index 6d62e4494..601fb2c36 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -2813,7 +2813,6 @@ static int x509_inet_pton_ipv6(const char *src, void *dst)
 
 static int x509_inet_pton_ipv4(const char *src, void *dst)
 {
-    /* note: allows leading 0's, e.g. 000.000.000.000 */
     const unsigned char *p = (const unsigned char *) src;
     uint8_t *res = (uint8_t *) dst;
     uint8_t digit, num_digits = 0;
@@ -2827,13 +2826,20 @@ static int x509_inet_pton_ipv4(const char *src, void *dst)
             if (digit > 9) {
                 break;
             }
+
+            /* Don't allow leading zeroes. These might mean octal format,
+             * which this implementation does not support. */
+            if (octet == 0 && num_digits > 0) {
+                return -1;
+            }
+
             octet = octet * 10 + digit;
             num_digits++;
             p++;
         } while (num_digits < 3);
 
         if (octet >= 256 || num_digits > 3 || num_digits == 0) {
-            break;
+            return -1;
         }
         *res++ = (uint8_t) octet;
         num_octets++;
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 55ed0c55d..f67d4ba0a 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -1046,6 +1046,12 @@ x509_verify:"data_files/server5-tricky-ip-san.crt":"data_files/server5-tricky-ip
 X509 CRT parse CN: IPv4 valid address
 x509_crt_parse_cn_inet_pton:"10.10.10.10":"0A0A0A0A":4
 
+X509 CRT parse CN: IPv4 leading zeroes #1
+x509_crt_parse_cn_inet_pton:"010.10.10.10":"":0
+
+X509 CRT parse CN: IPv4 leading zeroes #2
+x509_crt_parse_cn_inet_pton:"10.10.10.001":"":0
+
 X509 CRT parse CN: IPv4 excess 0s
 x509_crt_parse_cn_inet_pton:"10.0000.10.10":"":0