CVE-2025-61729 — Improper Certificate Validation in Standard Library Crypto X509

CWE-295 — Improper Certificate Validation CWE-1050 — Excessive Platform Resource Consumption within a Loop9 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 93.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library Crypto X509 Golang GO

Timeline

PublishedDec 2

Latest updateDec 9

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDgolang/go1.25.0 — 1.25.5+1

▶CVEListV5go_standard_library/crypto_x5091.25.0 — 1.25.5+1

Patches

Patch: go.dev ↗Patch: go.dev ↗

🔴Vulnerability Details

CVEList

Excessive resource consumption when printing error string for host certificate validation in crypto/x509↗2025-12-02

▶

OSV

Excessive resource consumption when printing error string for host certificate validation in crypto/x509↗2025-12-02

▶

GHSA

GHSA-7c64-f9jr-v9h2: Within HostnameError↗2025-12-02

▶

OSV

CVE-2025-61729: Within HostnameError↗2025-12-02

▶

📋Vendor Advisories

Microsoft

Excessive resource consumption when printing error string for host certificate validation in crypto/x509↗2025-12-09

▶

Red Hat

crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate↗2025-12-02

▶

Debian

CVE-2025-61729: golang-1.15 - Within HostnameError.Error(), when constructing an error string, there is no lim...↗2025

▶

💬Community

Bugzilla

CVE-2025-61729 crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate↗2025-12-02

▶