7.5

CVE-2025-61729

Medienbericht

EPSS 0.02%
Veröffentlicht 02.12.2025 18:54:10
Zuletzt bearbeitet 19.12.2025 18:25:28
Quelle security@golang.org
CVE-Watchlists
Login
Unerledigt
Login

Excessive resource consumption when printing error string for host certificate validation in crypto/x509

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Golang ≫ Go Version < 1.24.11

Golang ≫ Go Version >= 1.25.0 < 1.25.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.042

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://www.heise.de/news/DoS-und-Schadcode-Attacken-auf-IBM-App-Connect-Enterprise-moeglich-11169213.html

Media Report

https://go.dev/cl/725920

Patch

https://go.dev/issue/76445

Patch

Issue Tracking

https://groups.google.com/g/golang-announce/c/8FJoBkPddm4

Mailing List

Release Notes

https://pkg.go.dev/vuln/GO-2025-4155

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-61729

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-61729

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-61729

EUVD