CVE-2025-61730 — Dependency on Vulnerable Third-Party Component in Standard Library Crypto TLS

CWE-1395 — Dependency on Vulnerable Third-Party Component9 documents7 sources

Severity

5.3MEDIUMNVD

GHSA7.5

EPSS

0.0%

top 99.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library Crypto TLS Golang GO

Timeline

PublishedJan 28

Latest updateFeb 19

Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDgolang/go1.25.0 — 1.25.6+1

▶CVEListV5go_standard_library/crypto_tls1.25.0 — 1.25.6+1

Patches

Patch: go.dev ↗Patch: go.dev ↗

🔴Vulnerability Details

GHSA

Centrifugo v6.6.0 dependency vulnerabilities↗2026-02-19

▶

GHSA

GHSA-gr56-3gp6-6gmj: During the TLS 1↗2026-01-28

▶

OSV

Handshake messages may be processed at the incorrect encryption level in crypto/tls↗2026-01-28

▶

CVEList

Handshake messages may be processed at the incorrect encryption level in crypto/tls↗2026-01-28

▶

OSV

CVE-2025-61730: During the TLS 1↗2026-01-28

▶

📋Vendor Advisories

Debian

CVE-2025-61730: golang-1.15 - During the TLS 1.3 handshake if multiple messages are sent in records that span ...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-61730 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

GHSA-j9wf-6r2x-hqmx Impact, Exploitability, and Mitigation Steps | Wiz↗

▶