CVE-2025-61729

High CVSS: 7.5

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Vendor

Golang

Product

CWE

CWE-295

Yayın Tarihi

2025-12-02 19:15:51

Güncelleme

2025-12-19 18:25:28

Source Identifier

security@golang.org

KEV Date Added

Kategoriler

CWE-295 Go HIGH Golang 2025

Referanslar

https://go.dev/cl/725920 https://go.dev/issue/76445 https://groups.google.com/g/golang-announce/c/8FJoBkPddm4 https://pkg.go.dev/vuln/GO-2025-4155

Benzer Kayıtlar

Critical

CVE-2025-68121

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between th…

High

CVE-2025-61732

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

Low

CVE-2025-22873

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For examp…

High

CVE-2025-68119

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercuria…

High

CVE-2025-61731

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of…

High

CVE-2025-61726

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query p…