CVE-2025-61725

Published Oct 29, 2025

Last updated 16 days ago

CVSS high 7.5
Mysql

Overview

Description
The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.
Source
security@golang.org
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Social media

Hype score
Not currently trending

  1. ⚠️ Vulnerabilidades en productos VMware ❗ CVE-2025-61725 ❗ CVE-2025-58188 ❗ CVE-2025-58187 ➡️ Más info: https://t.co/f2QzldWdbF https://t.co/vkGw6I6sgQ

    @CERTpy

    15 Jan 2026

    98 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  2. 🚨 #SUSE Security Update: govulncheck-vulndb patch 2025:4395-1 is live. Updates the Go vulnerability DB with latest CVE/GHSA intel (inc. CVE-2025-61725). Read more: 👉 https://t.co/cZJtIvQqFw #Security https://t.co/jSJFfneXV1

    @Cezar_H_Linux

    15 Dec 2025

    50 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-61725 The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can… https://t.co/REViLkIGni

    @CVEnew

    29 Oct 2025

    350 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS). Supported versions that are affected are 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).CVE-2026-35235
  2. SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the mysqlColumnAsInsert function in file plugins/mysql/lib/column.go.CVE-2026-33643
  3. During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.CVE-2025-68121
  4. A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.CVE-2025-61732
  5. Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.CVE-2025-61731

References

Sources include official advisories and independent security research.