CVE-2025-61729

Published Dec 2, 2025

Last updated 3 months ago

CVSS high 7.5
Mysql

Overview

Description
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
Source
security@golang.org
NVD status
Analyzed
Products
go

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

nvd@nist.gov
CWE-295

Social media

Hype score
Not currently trending

  1. Critical security advisory for #Fedora 42 users! ๐Ÿ› ๏ธ The golang-github-openprinting-ipp-usb package (version < 0.9.31) is vulnerable to a DoS attack via CVE-2025-61729. Read more: ๐Ÿ‘‰ https://t.co/L4Kt4ICIs0 #Security https://t.co/CR4Jlv5VFV

    @Cezar_H_Linux

    15 Mar 2026

    151 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Critical Go sec update for #Mageia 9: MGASA-2025-0326 patches CVE-2025-61727 (DNS constraint bypass in crypto/x509) & CVE-2025-61729 (resource exhaustion DoS). Read more: ๐Ÿ‘‰ https://t.co/84x7Bln9EY #Security https://t.co/RYWVRzshYk

    @Cezar_H_Linux

    13 Dec 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. openSUSE releases Go 1.24.11 and 1.25.5 updates fixing crypto/x509 flaws CVE-2025-61727 and CVE-2025-61729 that can cause resource exhaustion and cert validation issues. #Vulnerability https://t.co/M1qJQmfpsR

    @threatcluster

    10 Dec 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-61729 Excessive resource consumption when printing error string for host certificate validation in crypto/x509 https://t.co/iFVGnVE8wm #cybersecurity #SecQube

    @SecQube

    9 Dec 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Go 1.25.5 is out today, including a security fix for GO-2025-4155 (CVE-2025-61729). https://t.co/SYwNGuo5Vg

    @zhangjintao9020

    3 Dec 2025

    667 Impressions

    0 Retweets

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. ๐ŸŽ‰ Go 1.25.5 and 1.24.11 are released! ๐Ÿ” Security: Includes security fixes for crypto/x509 (CVE-2025-61729, CVE-2025-61727). ๐Ÿ—ฃ Announcement: https://t.co/zG9tCI47Nf โฌ‡๏ธ Download: https://t.co/d45S6FsIsY #golang https://t.co/w6hYSx5Upg

    @golang

    2 Dec 2025

    27211 Impressions

    102 Retweets

    662 Likes

    26 Bookmarks

    12 Replies

    10 Quotes

Configurations

Related CVEs

  1. During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.โ€ขCVE-2025-68121
  2. A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.โ€ขCVE-2025-61732
  3. It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.โ€ขCVE-2025-22873
  4. Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.โ€ขCVE-2025-68119
  5. Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.โ€ขCVE-2025-61731

References

Sources include official advisories and independent security research.