CVE-2025-61728
published 2026-01-28CVE-2025-61728: archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of…
PriorityP430medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
EPSS
0.64%
46.3th percentile
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| debian | golang-1.19 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| debian | golang-1.24 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| debian | golang-1.25 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| github.com | centrifugal_centrifugo_v6 | >= 0 < 6.6.1 | 6.6.1 |
| go_standard_library | archive_zip | < 1.24.12 | 1.24.12 |
| go_standard_library | archive_zip | >= 1.25.0 < 1.25.6 | 1.25.6 |
| golang | go | < 1.24.12 | 1.24.12 |
| golang | go | >= 1.25.0 < 1.25.6 | 1.25.6 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_debian6.5LOW
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Centrifugo v6.6.0 dependency vulnerabilities
ghsa·2026-02-19·CVSS 7.5
CVE-2025-68121 [HIGH] CWE-1395 Centrifugo v6.6.0 dependency vulnerabilities
Centrifugo v6.6.0 dependency vulnerabilities
### Summary
Centrifugo v6.6.0 binary is compiled with **Go 1.25.5** and
statically links `github.com/quic-go/webtransport-go v0.9.0`, having **7 known
CVEs**
**Go standard library — compiled with Go 1.25.5:**
| CVE | Severity | CVSS | Fixed In |
|-----|----------|------|----------|
| CVE-2025-68121 | **CRITICAL** | 10.0 | Go 1.25.7, 1.24.13 |
| CVE-2025-61726 | HIGH | 7.5 | Go 1.25.6, 1.24.12 |
| CVE-2025-61728 | MEDIUM | 6.5 | Go 1.25.6, 1.24.12 |
| CVE-2025-61730 | MEDIUM | 5.3 | Go 1.25.6, 1.24.12 |
**Direct dependency `github.com/quic-go/webtransport-go` — pinned at v0.9.0
(`go.mod` line 34):**
| CVE | Severity | CVSS | Fixed In |
|-----|----------|------|----------|
| CVE-2026-21434 | MEDIUM | 5.3 | webtransport-go v0.10.0 |
| CVE-202
OSV
Centrifugo v6.6.0 dependency vulnerabilities
osv·2026-02-19·CVSS 7.5
CVE-2025-68121 [HIGH] Centrifugo v6.6.0 dependency vulnerabilities
Centrifugo v6.6.0 dependency vulnerabilities
### Summary
Centrifugo v6.6.0 binary is compiled with **Go 1.25.5** and
statically links `github.com/quic-go/webtransport-go v0.9.0`, having **7 known
CVEs**
**Go standard library — compiled with Go 1.25.5:**
| CVE | Severity | CVSS | Fixed In |
|-----|----------|------|----------|
| CVE-2025-68121 | **CRITICAL** | 10.0 | Go 1.25.7, 1.24.13 |
| CVE-2025-61726 | HIGH | 7.5 | Go 1.25.6, 1.24.12 |
| CVE-2025-61728 | MEDIUM | 6.5 | Go 1.25.6, 1.24.12 |
| CVE-2025-61730 | MEDIUM | 5.3 | Go 1.25.6, 1.24.12 |
**Direct dependency `github.com/quic-go/webtransport-go` — pinned at v0.9.0
(`go.mod` line 34):**
| CVE | Severity | CVSS | Fixed In |
|-----|----------|------|----------|
| CVE-2026-21434 | MEDIUM | 5.3 | webtransport-go v0.10.0 |
| CVE-202
GHSA
GHSA-g9q4-qjx4-2v7q: archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened
ghsa_unreviewed·2026-01-28
CVE-2025-61728 [MEDIUM] CWE-770 GHSA-g9q4-qjx4-2v7q: archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
OSV
Excessive CPU consumption when building archive index in archive/zip
osv·2026-01-28
CVE-2025-61728 Excessive CPU consumption when building archive index in archive/zip
Excessive CPU consumption when building archive index in archive/zip
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
OSV
CVE-2025-61728: archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened
osv·2026-01-28·CVSS 6.5
CVE-2025-61728 [MEDIUM] CVE-2025-61728: archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
Red Hat
golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip
vendor_redhat·2026-01-28·CVSS 6.5
CVE-2025-61728 [MEDIUM] CWE-770 golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip
golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
A flaw was found in the archive/zip package in the Go standard library. A super-linear file name indexing algorithm is used in the first time a file in an archive is opened. A crafted zip archive containing a specific arrangement of file names can cause an excessive CPU and memory consumption. A Go application processing a malicious archive can become unresponsive or crash, resulting in a denial of service.
Statement: To exploit this flaw, an attacker needs to be able to process a malici
Debian
CVE-2025-61728: golang-1.15 - archive/zip uses a super-linear file name indexing algorithm that is invoked the...
vendor_debian·2025·CVSS 6.5
CVE-2025-61728 [MEDIUM] CVE-2025-61728: golang-1.15 - archive/zip uses a super-linear file name indexing algorithm that is invoked the...
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
Scope: local
bullseye: resolved
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-61728 golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip
bugzilla·2026-01-28·CVSS 6.5
CVE-2025-61728 [MEDIUM] CVE-2025-61728 golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip
CVE-2025-61728 golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:2706 https://access.redhat.com/errata/RHSA-2026:2706
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2026:2708 https://access.redhat.com/errata/RHSA-2026:2708
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2026:2709 https://access.redhat.com/errata/RHSA-202
Wiz
CVE-2025-61728 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-61728 [MEDIUM] CVE-2025-61728 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61728 :
cAdvisor vulnerability analysis and mitigation
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
Source : NVD
## 6.5
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
cAdvisor
Docker
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
timoni
kube-rbac-proxy
Sources
AlmaLinux 8 Severity HIGH Has Fix Added at: Feb 16, 2026
AlmaLinux 9 Severity HIGH Has Fix Added at: Feb 18, 2026
Alpine 3.10, 3.1
Wiz
GHSA-j9wf-6r2x-hqmx Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68121 [HIGH] GHSA-j9wf-6r2x-hqmx Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-j9wf-6r2x-hqmx :
vulnerability analysis and mitigation
## Summary
github.com/quic-go/webtransport-go v0.9.0
Go standard library — compiled with Go 1.25.5:
CVE-2025-68121
CRITICAL
10.0
Go 1.25.7, 1.24.13
CVE-2025-61726
HIGH
7.5
Go 1.25.6, 1.24.12
CVE-2025-61728
MEDIUM
6.5
Go 1.25.6, 1.24.12
CVE-2025-61730
MEDIUM
5.3
Go 1.25.6, 1.24.12
github.com/quic-go/webtransport-go
go.mod
CVE-2026-21434
MEDIUM
5.3
webtransport-go v0.10.0
CVE-2026-21435
MEDIUM
5.3
webtransport-go v0.10.0
CVE-2026-21438
MEDIUM
5.3
webtransport-go v0.10.0
Source : NVD
Published February 19, 2026
Severity MEDIUM
CNA Score N/A
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploit
2026-01-28
Published