CVE-2025-61729

HIGH severity · CVSS 7.5 · CWE-295

7.5CVSS HIGH

Summary

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactNone

Integrity impactNone

Availability impactHigh

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products we track (1)

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://go.dev/cl/725920 ↗

Additional information

NVD record
https://go.dev/cl/725920Patch
https://go.dev/issue/76445Patch
https://pkg.go.dev/vuln/GO-2025-4155Advisory
https://groups.google.com/g/golang-announce/c/8FJoBkPddm4