CVE-2025-61728

Published: Jan 28, 2026Modified: Feb 6, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Affected (2)

Products: Golang: Go

Golang

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.24.12
Golang Go	From 1.25.0 to 1.25.6

Related CWEs

CWE-770

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (5)

https://go.dev/cl/736713

Source: security@golang.org

Patch

https://go.dev/issue/77102

Source: security@golang.org

Patch

https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

Source: security@golang.org

Release Notes

https://pkg.go.dev/vuln/GO-2026-4342

Source: security@golang.org

Vendor Advisory

http://www.openwall.com/lists/oss-security/2026/01/15/4

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMailing ListThird Party Advisory

Timeline

No history available yet.