Fluid Attacks Database

Description

Excessive resource consumption when printing error string for host certificate validation in crypto/x509 Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	stdlib	>=0 <1.24.11	1.24.11
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 14	golang-1.25	=1.25.0-1 \|\| =1.25.0-2 \|\| =1.25.1-1 \|\| =1.25.2-1 \|\| =1.25.3-1 \|\| >=0 <1.25.6-1	1.25.6-1
debian 12	golang-1.19	=1.19.10-1 \|\| =1.19.10-2 \|\| =1.19.11-1 \|\| =1.19.12-1 \|\| =1.19.12-2 \|\| =1.19.12-2~bpo11+1 \|\| =1.19.12-2~bpo12+1 \|\| =1.19.13-1 \|\| =1.19.13-1~bpo11+1 \|\| =1.19.13-1~bpo12+1 \|\| =1.19.8-2 \|\| =1.19.9-1	-
debian 13	golang-1.24	=1.24.12-1 \|\| =1.24.13-1 \|\| =1.24.13-2 \|\| =1.24.4-1 \|\| =1.24.4-2 \|\| =1.24.4-3 \|\| =1.24.4-4 \|\| =1.24.7-1 \|\| =1.24.8-1 \|\| =1.24.9-1	-
rpm rhel8	git-lfs	<0:3.4.1-7.el8_10	0:3.4.1-7.el8_10
rpm rhel8.4	go-toolset	<0:1.15.14-3.module+el8.4.0+22765+91da4d3f	0:1.15.14-3.module+el8.4.0+22765+91da4d3f
rpm rhel9.4	grafana	<0:9.2.10-25.el9_4	0:9.2.10-25.el9_4
rpm rhel9.4	opentelemetry-collector	<0:0.135.0-3.el9_4	0:0.135.0-3.el9_4
rpm rhel10	runc	-	-

1-10 of 106

Aliases

1. CVE-2025-617292. NVD-2025-617293. OSV-GO-2025-41554. OSV-2025-617295. OSV-DEBIAN-2025-617296. GCVE-2025-617297. SECURITY-TRACKER-CVE-2025-61729

References

1. https://go.dev/cl/7259202. https://go.dev/issue/764453. https://groups.google.com/g/golang-announce/c/8FJoBkPddm4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.