CVE-2025-61728

Published Jan 28, 2026

Last updated a month ago

CVSS medium 6.5
Golang

Overview

Description
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
Source
security@golang.org
NVD status
Analyzed
Products
go

Risk scores

CVSS 3.1

Type
Secondary
Base score
6.5
Impact score
3.6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Severity
MEDIUM

Weaknesses

nvd@nist.gov
CWE-770

Social media

Hype score
Not currently trending

  1. πŸ” Lambda Watchdog detected that CVE-2025-61728 is no longer present in latest AWS Lambda base image scans. https://t.co/S4lJuFVzW8 #AWS #Lambda #Security #CVE #DevOps #SecOps

    @LambdaWatchdog

    23 Feb 2026

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2025-61728 impacts libcap in 20 Lambda base images. Details: https://t.co/S4lJuFVzW8 More: https://t.co/6EUGaPyRZk #AWS #Lambda #CVE #CloudSecurity #Serverless

    @LambdaWatchdog

    8 Feb 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. πŸ” Lambda Watchdog detected that CVE-2025-61728 is no longer present in latest AWS Lambda base image scans. https://t.co/vyqPfUP0RB #AWS #Lambda #Security #CVE #DevOps #SecOps

    @LambdaWatchdog

    6 Feb 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-61728 archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when … https://t.co/UgjkZcZJzN

    @CVEnew

    28 Jan 2026

    131 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Top 5 Trending CVEs: 1 - CVE-2023-20198 2 - CVE-2025-32711 3 - CVE-2025-20393 4 - CVE-2025-61728 5 - CVE-2026-22812 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    18 Jan 2026

    136 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨 Go Releases Security Updates Fixing Memory-Exhaustion ZIP DoS and Multiple Runtime Risks Go 1.25.6 and 1.24.12 patch six vulnerabilities, including a high-impact archive/zip flaw (CVE-2025-61728) that can trigger super-linear processing and memory/CPU exhaustion when opening

    @ThreatSynop

    16 Jan 2026

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Released #golang compression v1.18.3 containing upstream CVE-2025-61728 fix: https://t.co/XNfN4TUq2A

    @sh0dan

    16 Jan 2026

    112 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Go 1.25.6 and 1.24.12 fix 6 CVEs https://t.co/XjElQGk7ZQ CVE-2025-61728 archive/zip: DoS CVE-2025-61726 net/http: Memory exhaustion CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for chain expiration

    @oss_security

    16 Jan 2026

    917 Impressions

    2 Retweets

    11 Likes

    2 Bookmarks

    1 Reply

    0 Quotes

  9. πŸ₯³ Go 1.26 Release Candidate 2 is released! πŸ” Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). πŸƒβ€β™€οΈ Run it in dev! Run it in prod! F

    @golang

    15 Jan 2026

    22045 Impressions

    52 Retweets

    423 Likes

    30 Bookmarks

    4 Replies

    2 Quotes

  10. 🎊 Go 1.25.6 and 1.24.12 are released! πŸ” Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). πŸ“£ Announcement: https://t.co/seVA1REoeH πŸ“¦ Do

    @golang

    15 Jan 2026

    14651 Impressions

    53 Retweets

    279 Likes

    26 Bookmarks

    4 Replies

    3 Quotes

  11. A Go release scheduled for Thursday, Jan 15th covering CVE-2025-61728 CVE-2025-61726 CVE-2025-68121 CVE-2025-61731 CVE-2025-68119, all currently embargoed. Reports of an SSH 0-day, in context of Go's crypto/ssh module.β€‹β€Œβ£β€Œβ£β€Œβ€Œβ€Œβ€Œβ€Œβ£β£β€Œβ€Œβ€Œβ€Œβ£β€Œβ£β£

    @_mattata

    13 Jan 2026

    327 Impressions

    0 Retweets

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.β€’CVE-2025-68121
  2. A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.β€’CVE-2025-61732
  3. It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.β€’CVE-2025-22873
  4. Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.β€’CVE-2025-68119
  5. Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.β€’CVE-2025-61731

References

Sources include official advisories and independent security research.