CVE-2025-61729

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GoCNA
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
VendorProductVersion
golanggo
𝑥
< 1.24.11
golanggo
1.25.0 ≤
𝑥
< 1.25.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
vulnerable
trixie
no-dsa
bookworm
no-dsa
golang-1.19
bookworm
vulnerable
trixie
no-dsa
bullseye
postponed
golang-1.24
trixie
no-dsa
bookworm
no-dsa
bullseye
postponed
forky
vulnerable
sid
vulnerable
golang-1.25
forky
vulnerable
sid
vulnerable
trixie
no-dsa
bookworm
no-dsa
bullseye
postponed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-1.24
questing
needs-triage
plucky
ignored
noble
dne
jammy
dne
golang-1.25
questing
needs-triage
plucky
dne
noble
dne
jammy
dne
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://go.dev/cl/725920
https://go.dev/issue/76445
https://groups.google.com/g/golang-announce/c/8FJoBkPddm4
https://pkg.go.dev/vuln/GO-2025-4155