AI description
CVE-2025-61726 addresses a vulnerability found in Go 1.25.6 and Go 1.24.12, specifically within the `crypto/tls` package. The issue arises because the `Config.Clone` method, when used on a `Config` object already passed to a TLS function, allows for its mutation and reuse. This can lead to problems if `Config.SessionTicketKey` has not been explicitly set or `Config.SetSessionTicketKeys` has not been called, as `crypto/tls` will then generate random session ticket keys. The vulnerability is further compounded by the fact that session resumption does not properly account for the expiration of the full certificate chain. This combination of factors allows for potential misuse of TLS configurations.
- Description
- The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
- Source
- security@golang.org
- NVD status
- Analyzed
- Products
- go
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Severity
- HIGH
- nvd@nist.gov
- CWE-770
- Hype score
- Not currently trending
π Lambda Watchdog detected that CVE-2025-61726 is no longer present in latest AWS Lambda base image scans. https://t.co/wBXcevU4un #AWS #Lambda #Security #CVE #DevOps #SecOps
@LambdaWatchdog
23 Feb 2026
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
π¨ New HIGH CVE detected in AWS Lambda π¨ CVE-2025-61726 impacts libcap in 20 Lambda base images. Details: https://t.co/wBXcevU4un More: https://t.co/6EUGaPyRZk #AWS #Lambda #CVE #CloudSecurity #Serverless
@LambdaWatchdog
8 Feb 2026
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
π Lambda Watchdog detected that CVE-2025-61726 is no longer present in latest AWS Lambda base image scans. https://t.co/WfXf9keUSw #AWS #Lambda #Security #CVE #DevOps #SecOps
@LambdaWatchdog
6 Feb 2026
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Go language (golang) users: A memory exhaustion vulnerability (CVE-2025-61726) in net/url query parsing may lead to service disruption. Consider updating to address this #golang #vulnerability #infosec. https://t.co/4jWh9WvWdJ
@pulsepatchio
1 Feb 2026
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-61726 The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the β¦ https://t.co/HgBQCfwBvp
@CVEnew
28 Jan 2026
138 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Go 1.25.6 and 1.24.12 fix 6 CVEs https://t.co/XjElQGk7ZQ CVE-2025-61728 archive/zip: DoS CVE-2025-61726 net/http: Memory exhaustion CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for chain expiration
@oss_security
16 Jan 2026
917 Impressions
2 Retweets
11 Likes
2 Bookmarks
1 Reply
0 Quotes
π₯³ Go 1.26 Release Candidate 2 is released! π Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). πββοΈ Run it in dev! Run it in prod! F
@golang
15 Jan 2026
22045 Impressions
52 Retweets
423 Likes
30 Bookmarks
4 Replies
2 Quotes
π Go 1.25.6 and 1.24.12 are released! π Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). π£ Announcement: https://t.co/seVA1REoeH π¦ Do
@golang
15 Jan 2026
14651 Impressions
53 Retweets
279 Likes
26 Bookmarks
4 Replies
3 Quotes
A Go release scheduled for Thursday, Jan 15th covering CVE-2025-61728 CVE-2025-61726 CVE-2025-68121 CVE-2025-61731 CVE-2025-68119, all currently embargoed. Reports of an SSH 0-day, in context of Go's crypto/ssh module.βββ£ββ£ββββββ£β£βββββ£ββ£β£
@_mattata
13 Jan 2026
327 Impressions
0 Retweets
5 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"matchCriteriaId": "21FD9368-8AB3-404B-8599-BBF64EFE3C7B",
"versionEndExcluding": "1.24.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A547E844-78D2-4B17-B7A9-73E7B503D2CE",
"versionEndExcluding": "1.25.6",
"versionStartIncluding": "1.25.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]