CVE-2025-61730

Published Jan 28, 2026

Last updated a month ago

CVSS medium 5.3
Golang
SSL

Overview

Description
During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.
Source
security@golang.org
NVD status
Analyzed
Products
go

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.3
Impact score
1.4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity
MEDIUM

Weaknesses

nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score
Not currently trending

  1. πŸ” Lambda Watchdog detected that CVE-2025-61730 is no longer present in latest AWS Lambda base image scans. https://t.co/PMzbSik8k5 #AWS #Lambda #Security #CVE #DevOps #SecOps

    @LambdaWatchdog

    23 Feb 2026

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2025-61730 impacts libcap in 20 Lambda base images. Details: https://t.co/PMzbSik8k5 More: https://t.co/6EUGaPyRZk #AWS #Lambda #CVE #CloudSecurity #Serverless

    @LambdaWatchdog

    8 Feb 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. πŸ” Lambda Watchdog detected that CVE-2025-61730 is no longer present in latest AWS Lambda base image scans. https://t.co/zjgsZtNJU8 #AWS #Lambda #Security #CVE #DevOps #SecOps

    @LambdaWatchdog

    6 Feb 2026

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-61730 During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions me… https://t.co/Z377UW1E8D

    @CVEnew

    28 Jan 2026

    162 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. πŸ₯³ Go 1.26 Release Candidate 2 is released! πŸ” Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). πŸƒβ€β™€οΈ Run it in dev! Run it in prod! F

    @golang

    15 Jan 2026

    22045 Impressions

    52 Retweets

    423 Likes

    30 Bookmarks

    4 Replies

    2 Quotes

  6. 🎊 Go 1.25.6 and 1.24.12 are released! πŸ” Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). πŸ“£ Announcement: https://t.co/seVA1REoeH πŸ“¦ Do

    @golang

    15 Jan 2026

    14651 Impressions

    53 Retweets

    279 Likes

    26 Bookmarks

    4 Replies

    3 Quotes

Configurations

Related CVEs

  1. During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.β€’CVE-2025-68121
  2. A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.β€’CVE-2025-61732
  3. It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.β€’CVE-2025-22873
  4. Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.β€’CVE-2025-68119
  5. Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.β€’CVE-2025-61731

References

Sources include official advisories and independent security research.