CVE-2025-61725 — Improper Input Validation in Standard Library NET Mail

CWE-20 — Improper Input Validation CWE-362 — Race Condition CWE-400 — Uncontrolled Resource Consumption CWE-407 — Inefficient Algorithmic Complexity CWE-444 — HTTP Request Smuggling CWE-770 — Allocation of Resources Without Limits or Throttling13 documents9 sources

Severity

7.5HIGHNVD

GHSA7.0OSV7.0

EPSS

0.0%

top 87.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library NET Mail Github.com Open-feature Flagd Core Github.com Open-feature Flagd Flagd +22 more

Timeline

PublishedOct 29

Latest updateJan 5

Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages25 packages

▶debiandebian/golang-1.15< golang-1.24 1.24.8-1 (forky)

▶debiandebian/golang-1.19< golang-1.24 1.24.8-1 (forky)

▶debiandebian/golang-1.24< golang-1.24 1.24.8-1 (forky)

▶debiandebian/golang-1.25< golang-1.24 1.24.8-1 (forky)

▶CVEListV5go_standard_library/net_mail1.25.0 — 1.25.2+1

🔴Vulnerability Details

GHSA

flagd: Multiple Go Runtime CVEs Impact Security and Availability↗2026-01-05

▶

OSV

flagd: Multiple Go Runtime CVEs Impact Security and Availability↗2026-01-05

▶

GHSA

GHSA-qh38-484v-w52x: The ParseAddress function constructeds domain-literal address components through repeated string concatenation↗2025-10-30

▶

OSV

CVE-2025-61725: The ParseAddress function constructs domain-literal address components through repeated string concatenation↗2025-10-29

▶

OSV

Excessive CPU consumption in ParseAddress in net/mail↗2025-10-29

▶

📋Vendor Advisories

Red Hat

net/mail: Excessive CPU consumption in ParseAddress in net/mail↗2025-10-29

▶

Microsoft

Excessive CPU consumption in ParseAddress in net/mail↗2025-10-14

▶

Debian

CVE-2025-61725: golang-1.15 - The ParseAddress function constructs domain-literal address components through r...↗2025

▶

🕵️Threat Intelligence

Wiz

GHSA-4c5f-9mj4-m247 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2025-61725 docker-distribution: Excessive CPU consumption in ParseAddress in net/mail [fedora-43]↗2025-10-30

▶

Bugzilla

CVE-2025-61725 docker-distribution: Excessive CPU consumption in ParseAddress in net/mail [fedora-42]↗2025-10-30

▶

Bugzilla

CVE-2025-61725 trivy: Excessive CPU consumption in ParseAddress in net/mail [fedora-43]↗2025-10-30

▶