AI description
CVE-2025-61729 is a vulnerability within the `crypto/x509` package of the Go standard library. Specifically, the `HostnameError.Error()` method is susceptible to uncontrolled resource consumption. The vulnerability arises because there is no limit to the number of hosts printed when constructing an error string within `HostnameError.Error()`. Furthermore, the error string is built through repeated string concatenation, leading to quadratic runtime. A malicious actor could exploit this by providing a certificate that leads to excessive resource consumption.
- Description
- Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
- Source
- security@golang.org
- NVD status
- Analyzed
- Products
- go
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Severity
- HIGH
- nvd@nist.gov
- CWE-295
- Hype score
- Not currently trending
Critical Go sec update for #Mageia 9: MGASA-2025-0326 patches CVE-2025-61727 (DNS constraint bypass in crypto/x509) & CVE-2025-61729 (resource exhaustion DoS). Read more: ๐ https://t.co/84x7Bln9EY #Security https://t.co/RYWVRzshYk
@Cezar_H_Linux
13 Dec 2025
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
openSUSE releases Go 1.24.11 and 1.25.5 updates fixing crypto/x509 flaws CVE-2025-61727 and CVE-2025-61729 that can cause resource exhaustion and cert validation issues. #Vulnerability https://t.co/M1qJQmfpsR
@threatcluster
10 Dec 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-61729 Excessive resource consumption when printing error string for host certificate validation in crypto/x509 https://t.co/iFVGnVE8wm #cybersecurity #SecQube
@SecQube
9 Dec 2025
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Go 1.25.5 is out today, including a security fix for GO-2025-4155 (CVE-2025-61729). https://t.co/SYwNGuo5Vg
@zhangjintao9020
3 Dec 2025
667 Impressions
0 Retweets
5 Likes
0 Bookmarks
0 Replies
0 Quotes
๐ Go 1.25.5 and 1.24.11 are released! ๐ Security: Includes security fixes for crypto/x509 (CVE-2025-61729, CVE-2025-61727). ๐ฃ Announcement: https://t.co/zG9tCI47Nf โฌ๏ธ Download: https://t.co/d45S6FsIsY #golang https://t.co/w6hYSx5Upg
@golang
2 Dec 2025
27211 Impressions
102 Retweets
662 Likes
26 Bookmarks
12 Replies
10 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F2E6FD2A-A487-4099-B91D-2429F286AC6D",
"versionEndExcluding": "1.24.11"
},
{
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "39C03A37-B94B-46E4-B1C2-A70A870F8E53",
"versionEndExcluding": "1.25.5",
"versionStartIncluding": "1.25.0"
}
],
"operator": "OR"
}
]
}
]