CVE-2025-61729

Aliases:GO-2025-4155BIT-golang-2025-61729

Advisory lineage Upstream: 0 Downstream: 151

Downstream

DEBIAN-CVE-2025-61729 MGASA-2025-0326 MGASA-2026-0147 OPENSUSE-SU-2025:15795-1 OPENSUSE-SU-2025:15796-1 OPENSUSE-SU-2025:15807-1

Analyzed

Published: 02 Dec 2025, 18:54

Last modified:03 Dec 2025, 19:37

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.02% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

02 Dec 2025, 18:54

Published

Vulnerability first disclosed

03 Dec 2025, 19:37

Last Modified

Vulnerability information updated

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.02%• Percentile: 5%

Techniques & Countermeasures

CWE-295•Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.

Affected Systems

go standard library•crypto/x509
< 1.24.11 | ≥ 1.25.0, < 1.25.5
golang•go
< 1.24.11 | ≥ 1.25.0, < 1.25.5
Go•stdlib
≥ 1.25.0, < 1.25.5