7.5

CVE-2025-61729

Medienbericht

Excessive resource consumption when printing error string for host certificate validation in crypto/x509

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GolangGo Version < 1.24.11
GolangGo Version >= 1.25.0 < 1.25.5
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.46% 0.366
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
08.02.2026 14:00
https://go.dev/cl/725920
Patch
https://go.dev/issue/76445
Patch
Issue Tracking
https://groups.google.com/g/golang-announce/c/8FJoBkPddm4
Mailing List
Release Notes
https://pkg.go.dev/vuln/GO-2025-4155
Vendor Advisory