CVE-2025-61729
published 2025-12-02CVE-2025-61729: Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.45%
35.9th percentile
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| debian | golang-1.19 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| debian | golang-1.24 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| debian | golang-1.25 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| github.com | open-feature_flagd_core | >= 0 < 0.13.1 | 0.13.1 |
| github.com | open-feature_flagd_flagd | >= 0 < 0.13.1 | 0.13.1 |
| github.com | open-feature_flagd_flagd-proxy | >= 0 < 0.8.2 | 0.8.2 |
| go_standard_library | crypto_x509 | < 1.24.11 | 1.24.11 |
| go_standard_library | crypto_x509 | >= 1.25.0 < 1.25.5 | 1.25.5 |
| golang | go | < 1.24.11 | 1.24.11 |
| golang | go | >= 1.25.0 < 1.25.5 | 1.25.5 |
| msrc | azl3_gcc_13.2.0-7 | — | — |
| msrc | azl3_golang_1.23.12-1 | — | — |
| msrc | azl3_golang_1.25.3-1 | — | — |
| msrc | azl3_golang_1.25.5-1 | — | — |
| msrc | azl3_golang_1.25.6-1 | — | — |
| msrc | azl3_golang_1.25.7-1 | — | — |
| msrc | azl3_golang_1.25.8-1 | — | — |
| msrc | azl3_golang_1.26.0-1 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6 | — | — |
| msrc | azl3_tensorflow_2.16.1-9 | — | — |
| msrc | cbl2_gcc_11.2.0-8 | — | — |
| msrc | cbl2_gcc_11.2.0-9 | — | — |
| msrc | cbl2_golang_1.18.8-10 | — | — |
| msrc | cbl2_golang_1.22.7-5 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.0HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
flagd: Multiple Go Runtime CVEs Impact Security and Availability
ghsa·2026-01-05·CVSS 7.0
CVE-2025-47907 [HIGH] CWE-20 flagd: Multiple Go Runtime CVEs Impact Security and Availability
flagd: Multiple Go Runtime CVEs Impact Security and Availability
### Summary
In 2025, several vulnerabilities in the Go Standard Library were disclosed, impacting Go-based applications like flagd (the evaluation engine for OpenFeature). These CVEs primarily focus on Denial of Service (DoS) through resource exhaustion and Race Conditions in database handling.
| CVE ID | Impacted Package | Severity | Description & Impact on flagd |
| -- | -- | -- | -- |
| CVE-2025-47907 | database/sql | 7.0 (High) | Race Condition: Canceling a query during a Scan call can return data from the wrong query. Critical if flagd uses SQL-based sync providers (e.g., Postgres), potentially leading to incorrect flag configurations. |
| CVE-2025-61725 | net/mail | 7.5 (High) | DoS: Inefficient complexity in ParseAdd
OSV
flagd: Multiple Go Runtime CVEs Impact Security and Availability
osv·2026-01-05·CVSS 7.0
CVE-2025-47907 [HIGH] flagd: Multiple Go Runtime CVEs Impact Security and Availability
flagd: Multiple Go Runtime CVEs Impact Security and Availability
### Summary
In 2025, several vulnerabilities in the Go Standard Library were disclosed, impacting Go-based applications like flagd (the evaluation engine for OpenFeature). These CVEs primarily focus on Denial of Service (DoS) through resource exhaustion and Race Conditions in database handling.
| CVE ID | Impacted Package | Severity | Description & Impact on flagd |
| -- | -- | -- | -- |
| CVE-2025-47907 | database/sql | 7.0 (High) | Race Condition: Canceling a query during a Scan call can return data from the wrong query. Critical if flagd uses SQL-based sync providers (e.g., Postgres), potentially leading to incorrect flag configurations. |
| CVE-2025-61725 | net/mail | 7.5 (High) | DoS: Inefficient complexity in ParseAdd
OSV
Excessive resource consumption when printing error string for host certificate validation in crypto/x509
osv·2025-12-02
CVE-2025-61729 Excessive resource consumption when printing error string for host certificate validation in crypto/x509
Excessive resource consumption when printing error string for host certificate validation in crypto/x509
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
GHSA
GHSA-7c64-f9jr-v9h2: Within HostnameError
ghsa_unreviewed·2025-12-02
CVE-2025-61729 [HIGH] GHSA-7c64-f9jr-v9h2: Within HostnameError
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
OSV
CVE-2025-61729: Within HostnameError
osv·2025-12-02·CVSS 7.5
CVE-2025-61729 [HIGH] CVE-2025-61729: Within HostnameError
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
Microsoft
Excessive resource consumption when printing error string for host certificate validation in crypto/x509
vendor_msrc·2025-12-09·CVSS 7.5
CVE-2025-61729 [HIGH] Excessive resource consumption when printing error string for host certificate validation in crypto/x509
Excessive resource consumption when printing error string for host certificate validation in crypto/x509
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Red Hat
crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
vendor_redhat·2025-12-02·CVSS 7.5
CVE-2025-61729 [HIGH] CWE-1050 crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial
Debian
CVE-2025-61729: golang-1.15 - Within HostnameError.Error(), when constructing an error string, there is no lim...
vendor_debian·2025·CVSS 7.5
CVE-2025-61729 [HIGH] CVE-2025-61729: golang-1.15 - Within HostnameError.Error(), when constructing an error string, there is no lim...
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-61729 crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
bugzilla·2025-12-02·CVSS 7.5
CVE-2025-61729 [HIGH] CVE-2025-61729 crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
CVE-2025-61729 crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:0922 https://access.redhat.com/errata/RHSA-2026:0922
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2026:0921 https://access.redhat.com/errata/RHSA-2026:0921
---
This iss
Wiz
GHSA-4c5f-9mj4-m247 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2025-47907 [HIGH] GHSA-4c5f-9mj4-m247 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-4c5f-9mj4-m247 :
vulnerability analysis and mitigation
## Summary
In 2025, several vulnerabilities in the Go Standard Library were disclosed, impacting Go-based applications like flagd (the evaluation engine for OpenFeature). These CVEs primarily focus on Denial of Service (DoS) through resource exhaustion and Race Conditions in database handling.
CVE-2025-47907
database/sql
7.0 (High)
Race Condition: Canceling a query during a Scan call can return data from the wrong query. Critical if flagd uses SQL-based sync providers (e.g., Postgres), potentially leading to incorrect flag configurations.
CVE-2025-61725
net/mail
7.5 (High)
DoS: Inefficient complexity in ParseAddress. Attackers can provide crafted email strings with large domain literals to exhaust CPU if flagd parse
2025-12-02
Published