AI description
CVE-2025-61729 is a vulnerability within the `crypto/x509` package of the Go standard library. Specifically, the `HostnameError.Error()` method is susceptible to uncontrolled resource consumption. The vulnerability arises because there is no limit to the number of hosts printed when constructing an error string within `HostnameError.Error()`. Furthermore, the error string is built through repeated string concatenation, leading to quadratic runtime. A malicious actor could exploit this by providing a certificate that leads to excessive resource consumption.
- Description
- Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
- Source
- security@golang.org
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Severity
- HIGH
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
2
Go 1.25.5 is out today, including a security fix for GO-2025-4155 (CVE-2025-61729). https://t.co/SYwNGuo5Vg
@zhangjintao9020
3 Dec 2025
667 Impressions
0 Retweets
5 Likes
0 Bookmarks
0 Replies
0 Quotes
š Go 1.25.5 and 1.24.11 are released! š Security: Includes security fixes for crypto/x509 (CVE-2025-61729, CVE-2025-61727). š£ Announcement: https://t.co/zG9tCI47Nf ā¬ļø Download: https://t.co/d45S6FsIsY #golang https://t.co/w6hYSx5Upg
@golang
2 Dec 2025
27211 Impressions
102 Retweets
662 Likes
26 Bookmarks
12 Replies
10 Quotes