7.5

CVE-2025-61729

EPSS 0.02%
Veröffentlicht 02.12.2025 18:54:10
Zuletzt bearbeitet 19.12.2025 18:25:28
Quelle security@golang.org
CVE-Watchlists
Login
Unerledigt
Login

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Golang ≫ Go Version < 1.24.11

Golang ≫ Go Version >= 1.25.0 < 1.25.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.03

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://go.dev/cl/725920

Patch

https://go.dev/issue/76445

Patch

Issue Tracking

https://groups.google.com/g/golang-announce/c/8FJoBkPddm4

Mailing List

Release Notes

https://pkg.go.dev/vuln/GO-2025-4155

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-61729

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-61729

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-61729

EUVD