CVE-2025-61729

HIGH

GO < 1.24.11 - Improper Certificate Validation

Title source: rule

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

References (4)

[Patch] https://go.dev/cl/725920

[Issue Tracking, Patch] https://go.dev/issue/76445

[Mailing List, Release Notes] https://groups.google.com/g/golang-announce/c/8FJoBkPddm4

[Vendor Advisory] https://pkg.go.dev/vuln/GO-2025-4155

Scores

CVSS v3 7.5

EPSS 0.0001

EPSS Percentile 1.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-295

Status published

Products (1)

golang/go < 1.24.11

Published Dec 02, 2025

Tracked Since Feb 18, 2026