CVE-2025-61730
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Go standard library | crypto/tls | 0 < 1.24.12 | affected |
| Go standard library | crypto/tls | 1.25.0 < 1.25.6 | affected |
Weaknesses
- CWE-940: Improper Verification of Source of a Communication Channel
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://go.dev/cl/724120
- https://go.dev/issue/76443
- https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
- https://pkg.go.dev/vuln/GO-2026-4340
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.