CVE-2025-61729
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Go standard library | crypto/x509 | 0 < 1.24.11 | affected |
| Go standard library | crypto/x509 | 1.25.0 < 1.25.5 | affected |
Weaknesses
- CWE-400: Uncontrolled Resource Consumption
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://go.dev/cl/725920
- https://go.dev/issue/76445
- https://groups.google.com/g/golang-announce/c/8FJoBkPddm4
- https://pkg.go.dev/vuln/GO-2025-4155
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.