Fluid Attacks Database

Description

Excessive CPU consumption when building archive index in archive/zip archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	golang-1.25	=1.25.0-1 \|\| =1.25.0-2 \|\| =1.25.1-1 \|\| =1.25.2-1 \|\| =1.25.3-1 \|\| >=0 <1.25.6-1	1.25.6-1
go	stdlib	>=0 <1.24.12	1.24.12
debian 12	golang-1.19	=1.19.10-1 \|\| =1.19.10-2 \|\| =1.19.11-1 \|\| =1.19.12-1 \|\| =1.19.12-2 \|\| =1.19.12-2~bpo11+1 \|\| =1.19.12-2~bpo12+1 \|\| =1.19.13-1 \|\| =1.19.13-1~bpo11+1 \|\| =1.19.13-1~bpo12+1 \|\| =1.19.8-2 \|\| =1.19.9-1	-
debian 13	golang-1.24	=1.24.12-1 \|\| =1.24.13-1 \|\| =1.24.13-2 \|\| =1.24.4-1 \|\| =1.24.4-2 \|\| =1.24.4-3 \|\| =1.24.4-4 \|\| =1.24.7-1 \|\| =1.24.8-1 \|\| =1.24.9-1	-
rpm rhel9.6	grafana	<0:10.2.6-18.el9_6	0:10.2.6-18.el9_6
rpm rhel10	gvisor-tap-vsock	-	-
rpm rhel10.0	golang	<0:1.25.7-1.el10_0	0:1.25.7-1.el10_0
rpm rhel9.6	golang	<0:1.25.7-1.el9_6	0:1.25.7-1.el9_6
rpm rhel10	podman	<7:5.6.0-12.el10_1	7:5.6.0-12.el10_1
rpm rhel10	grafana	<0:10.2.6-22.el10_1	0:10.2.6-22.el10_1

1-10 of 27

Aliases

1. CVE-2025-617282. NVD-2025-617283. OSV-DEBIAN-2025-617284. OSV-2025-617285. OSV-GO-2026-43426. GCVE-2025-617287. SECURITY-TRACKER-CVE-2025-61728

References

1. https://go.dev/cl/7367132. https://go.dev/issue/771023. https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.