CVE-2025-61729

EUVD-2025-200318
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
golanggo
𝑥
< 1.24.11
golanggo
1.25.0 ≤
𝑥
< 1.25.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bookworm
no-dsa
bullseye
vulnerable
trixie
no-dsa
golang-1.19
bookworm
vulnerable
bullseye
postponed
trixie
no-dsa
golang-1.24
bookworm
no-dsa
bullseye
postponed
forky
1.24.13-2
fixed
sid
1.24.13-2
fixed
trixie
no-dsa
golang-1.25
bookworm
no-dsa
bullseye
postponed
forky
1.25.7-2
fixed
sid
1.25.7-2
fixed
trixie
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-1.24
jammy
dne
noble
dne
plucky
ignored
questing
needs-triage
golang-1.25
jammy
dne
noble
dne
plucky
dne
questing
needs-triage
Common Weakness Enumeration
References
https://go.dev/cl/725920
https://go.dev/issue/76445
https://groups.google.com/g/golang-announce/c/8FJoBkPddm4
https://pkg.go.dev/vuln/GO-2025-4155