CVE-2025-61729

EUVD-2025-200318
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
golanggo
𝑥
< 1.24.11
golanggo
1.25.0 ≤
𝑥
< 1.25.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
postponed
golang-1.19
bookworm
no-dsa
golang-1.24
forky
1.24.13-2
fixed
sid
1.24.13-2
fixed
trixie
no-dsa
golang-1.25
forky
1.25.9-1
fixed
sid
1.25.9-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-1.24
jammy
needs-triage
noble
needs-triage
plucky
ignored
questing
needs-triage
golang-1.25
jammy
dne
noble
dne
plucky
dne
questing
needs-triage
Common Weakness Enumeration
References
https://go.dev/cl/725920
https://go.dev/issue/76445
https://groups.google.com/g/golang-announce/c/8FJoBkPddm4
https://pkg.go.dev/vuln/GO-2025-4155