CVE-2025-61730

MEDIUM severity · CVSS 5.3

5.3CVSS MEDIUM

Summary

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactLow

Integrity impactNone

Availability impactNone

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products we track (1)

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Official patch: https://go.dev/cl/724120 ↗

Additional information

NVD record
https://go.dev/cl/724120Patch
https://go.dev/issue/76443Patch
https://pkg.go.dev/vuln/GO-2026-4340Advisory
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc