CVE-2025-61730

MEDIUM

GO < 1.24.12 - Information Disclosure

Title source: rule

Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

References (4)

Core 4

Core References

Patch

https://go.dev/cl/724120

Patch

https://go.dev/issue/76443

Release Notes

https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

Vendor Advisory

https://pkg.go.dev/vuln/GO-2026-4340

Scores

CVSS v3 5.3

EPSS 0.0001

EPSS Percentile 0.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

Status published

Products (1)

golang/go < 1.24.12

Published Jan 28, 2026

Tracked Since Feb 18, 2026