CVE-2025-68121

Published Feb 5, 2026

Last updated 12 days ago

CVSS critical 10.0
Tls
Golang
Mysql
SSL

Overview

Description
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
Source
security@golang.org
NVD status
Modified
Products
go

Risk scores

CVSS 3.1

Type
Primary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-295

Social media

Hype score
Not currently trending

  1. πŸ” Lambda Watchdog detected that CVE-2025-68121 is no longer present in latest AWS Lambda base image scans. https://t.co/AienQPpdci #AWS #Lambda #Security #CVE #DevOps #SecOps

    @LambdaWatchdog

    23 Feb 2026

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. After analyzing 84% of vulnerabilities from past week, CVE-2025-68121 has 16 articles published from different internet sources, no other cve has these many articles. More information here: https://t.co/SyyDujjO8C #vulnerability #CyberSecurity #ThreatIntel #CVE #SecurityAlert

    @stooee_

    14 Feb 2026

    50 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. After analyzing 70% of vulnerabilities from past week, CVE-2025-68121 has 16 articles published from different internet sources, no other cve has these many articles. More information here: https://t.co/SyyDujjO8C #vulnerability #CyberSecurity #ThreatIntel #CVE #SecurityAlert

    @stooee_

    13 Feb 2026

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. After analyzing 56% of vulnerabilities from past week, CVE-2025-68121 has 14 articles published from different internet sources, no other cve has these many articles. More information here: https://t.co/SyyDujjO8C #vulnerability #CyberSecurity #ThreatIntel #CVE #SecurityAlert

    @stooee_

    12 Feb 2026

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. After analyzing 42% of vulnerabilities from past week, CVE-2025-68121 has 14 articles published from different internet sources, no other cve has these many articles. More information here: https://t.co/SyyDujjO8C #vulnerability #CyberSecurity #ThreatIntel #CVE #SecurityAlert

    @stooee_

    11 Feb 2026

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. A security vulnerability (CVE-2025-68121) in `golang` `crypto/tls` may lead to unexpected session resumption. Developers should review `golang` deployments and consider updating. #golang #TLS #infosec https://t.co/0Z74dpwA6H

    @pulsepatchio

    11 Feb 2026

    75 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    4 Replies

    0 Quotes

  7. 🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2025-68121 impacts libcap in 47 Lambda base images. Details: https://t.co/AienQPpdci More: https://t.co/6EUGaPyRZk #AWS #Lambda #CVE #CloudSecurity #Serverless

    @LambdaWatchdog

    8 Feb 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Go 1.25.7, 1.24.13 fix 2 CVEs https://t.co/bf31PXLyCI CVE-2025-61732: cmd/cgo: Discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the cgo binary CVE-2025-68121: crypto/tls: Unexpected session resumption when using Config.GetConfigForClient

    @oss_security

    8 Feb 2026

    355 Impressions

    0 Retweets

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2025-68121 Session Resumption Bypass in Go crypto/tls Config.GetConf... https://t.co/4QQ5o3ELgP Don't wait vulnerability scanning results: https://t.co/oh1APvMMnd

    @VulmonFeeds

    5 Feb 2026

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2025-68121 During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake,… https://t.co/eWtYlhtxlj

    @CVEnew

    5 Feb 2026

    326 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  11. πŸŽ‰ Go 1.25.7 and 1.24.13 are released! πŸ” Security: Includes a security fix for cmd/cgo (CVE-2025-61732) and an update for crypto/tls (CVE-2025-68121). πŸ—£ Announcement: https://t.co/gn4BwmFBh4 πŸ“¦ Download: https://t.co/cZRQix5aeM #golang https://t.co/NnF8ayxKrK

    @golang

    4 Feb 2026

    12719 Impressions

    44 Retweets

    308 Likes

    18 Bookmarks

    2 Replies

    2 Quotes

  12. πŸ₯³ Go 1.26 Release Candidate 3 is released! πŸ” Security: Includes an update for crypto/tls (CVE-2025-68121). πŸƒβ€β™‚οΈ Run it in dev! Run it in prod! File bugs! https://t.co/Ul1xGhvlkf πŸ“’ Announcement: https://t.co/WTZSMY1fay ⬇️ Download: https://t.co/NoKrW5T8JG

    @golang

    4 Feb 2026

    16768 Impressions

    53 Retweets

    380 Likes

    22 Bookmarks

    4 Replies

    2 Quotes

  13. Go 1.25.6 and 1.24.12 fix 6 CVEs https://t.co/XjElQGk7ZQ CVE-2025-61728 archive/zip: DoS CVE-2025-61726 net/http: Memory exhaustion CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for chain expiration

    @oss_security

    16 Jan 2026

    917 Impressions

    2 Retweets

    11 Likes

    2 Bookmarks

    1 Reply

    0 Quotes

  14. πŸ₯³ Go 1.26 Release Candidate 2 is released! πŸ” Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). πŸƒβ€β™€οΈ Run it in dev! Run it in prod! F

    @golang

    15 Jan 2026

    22045 Impressions

    52 Retweets

    423 Likes

    30 Bookmarks

    4 Replies

    2 Quotes

  15. 🎊 Go 1.25.6 and 1.24.12 are released! πŸ” Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). πŸ“£ Announcement: https://t.co/seVA1REoeH πŸ“¦ Do

    @golang

    15 Jan 2026

    14651 Impressions

    53 Retweets

    279 Likes

    26 Bookmarks

    4 Replies

    3 Quotes

  16. A Go release scheduled for Thursday, Jan 15th covering CVE-2025-61728 CVE-2025-61726 CVE-2025-68121 CVE-2025-61731 CVE-2025-68119, all currently embargoed. Reports of an SSH 0-day, in context of Go's crypto/ssh module.β€‹β€Œβ£β€Œβ£β€Œβ€Œβ€Œβ€Œβ€Œβ£β£β€Œβ€Œβ€Œβ€Œβ£β€Œβ£β£

    @_mattata

    13 Jan 2026

    327 Impressions

    0 Retweets

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.β€’CVE-2025-61732
  2. It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.β€’CVE-2025-22873
  3. Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.β€’CVE-2025-68119
  4. Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.β€’CVE-2025-61731
  5. The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.β€’CVE-2025-61726

References

Sources include official advisories and independent security research.