AI description
CVE-2025-68121 is a vulnerability found within the `crypto/tls` package of the Go programming language, addressed in Go versions 1.25.6 and 1.24.12. This vulnerability encompasses two primary issues. Firstly, the `Config.Clone` function was found to leak automatically generated session ticket keys, which could potentially enable unauthorized session resumptions across different configurations. Secondly, the vulnerability involved an oversight in how TLS session resumptions were handled on the server side. Specifically, when determining if a session could be resumed, only the expiration of the leaf certificate was checked, neglecting the expiration status of intermediate or root certificates within the full certificate chain. This allowed sessions to be resumed even if a critical certificate in the chain had expired.
- Description
- During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
- Source
- security@golang.org
- NVD status
- Undergoing Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 4.8
- Impact score
- 2.5
- Exploitability score
- 2.2
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-295
- Hype score
- Not currently trending
π¨ New HIGH CVE detected in AWS Lambda π¨ CVE-2025-68121 impacts libcap in 47 Lambda base images. Details: https://t.co/AienQPpdci More: https://t.co/6EUGaPyRZk #AWS #Lambda #CVE #CloudSecurity #Serverless
@LambdaWatchdog
8 Feb 2026
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Go 1.25.7, 1.24.13 fix 2 CVEs https://t.co/bf31PXLyCI CVE-2025-61732: cmd/cgo: Discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the cgo binary CVE-2025-68121: crypto/tls: Unexpected session resumption when using Config.GetConfigForClient
@oss_security
8 Feb 2026
355 Impressions
0 Retweets
5 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-68121 Session Resumption Bypass in Go crypto/tls Config.GetConf... https://t.co/4QQ5o3ELgP Don't wait vulnerability scanning results: https://t.co/oh1APvMMnd
@VulmonFeeds
5 Feb 2026
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-68121 During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake,β¦ https://t.co/eWtYlhtxlj
@CVEnew
5 Feb 2026
326 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
π Go 1.25.7 and 1.24.13 are released! π Security: Includes a security fix for cmd/cgo (CVE-2025-61732) and an update for crypto/tls (CVE-2025-68121). π£ Announcement: https://t.co/gn4BwmFBh4 π¦ Download: https://t.co/cZRQix5aeM #golang https://t.co/NnF8ayxKrK
@golang
4 Feb 2026
12719 Impressions
44 Retweets
308 Likes
18 Bookmarks
2 Replies
2 Quotes
π₯³ Go 1.26 Release Candidate 3 is released! π Security: Includes an update for crypto/tls (CVE-2025-68121). πββοΈ Run it in dev! Run it in prod! File bugs! https://t.co/Ul1xGhvlkf π’ Announcement: https://t.co/WTZSMY1fay β¬οΈ Download: https://t.co/NoKrW5T8JG
@golang
4 Feb 2026
16768 Impressions
53 Retweets
380 Likes
22 Bookmarks
4 Replies
2 Quotes
Go 1.25.6 and 1.24.12 fix 6 CVEs https://t.co/XjElQGk7ZQ CVE-2025-61728 archive/zip: DoS CVE-2025-61726 net/http: Memory exhaustion CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for chain expiration
@oss_security
16 Jan 2026
917 Impressions
2 Retweets
11 Likes
2 Bookmarks
1 Reply
0 Quotes
π₯³ Go 1.26 Release Candidate 2 is released! π Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). πββοΈ Run it in dev! Run it in prod! F
@golang
15 Jan 2026
22045 Impressions
52 Retweets
423 Likes
30 Bookmarks
4 Replies
2 Quotes
π Go 1.25.6 and 1.24.12 are released! π Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). π£ Announcement: https://t.co/seVA1REoeH π¦ Do
@golang
15 Jan 2026
14651 Impressions
53 Retweets
279 Likes
26 Bookmarks
4 Replies
3 Quotes
A Go release scheduled for Thursday, Jan 15th covering CVE-2025-61728 CVE-2025-61726 CVE-2025-68121 CVE-2025-61731 CVE-2025-68119, all currently embargoed. Reports of an SSH 0-day, in context of Go's crypto/ssh module.βββ£ββ£ββββββ£β£βββββ£ββ£β£
@_mattata
13 Jan 2026
327 Impressions
0 Retweets
5 Likes
0 Bookmarks
0 Replies
0 Quotes