CVE-2025-61729

Published: Dec 2, 2025Modified: Dec 19, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected (2)

Products: Golang: Go

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.24.11
Golang Go	From 1.25.0 to 1.25.5

Related CWEs

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (4)

https://go.dev/cl/725920

Source: security@golang.org

Patch

https://go.dev/issue/76445

Source: security@golang.org

Issue TrackingPatch

https://groups.google.com/g/golang-announce/c/8FJoBkPddm4

Source: security@golang.org

Mailing ListRelease Notes

https://pkg.go.dev/vuln/GO-2025-4155

Source: security@golang.org

Vendor Advisory

Timeline

No history available yet.