CVE-2025-68121 — Improper Certificate Validation in Standard Library Crypto TLS

CWE-295 — Improper Certificate Validation CWE-1395 — Dependency on Vulnerable Third-Party Component18 documents10 sources

Severity

10.0CRITICALNVD

GHSA7.5OSV7.5

EPSS

0.0%

top 95.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library Crypto TLS Github.com Argoproj-labs Terraform-provider-argocd Github.com Centrifugal Centrifugo V6 +4 more

Timeline

PublishedFeb 5

Latest updateMar 23

Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a se…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages7 packages

▶CVEListV5go_standard_library/crypto_tls1.25.0-0 — 1.25.7+2

▶NVDgolang/go1.25.0 — 1.25.7+2

▶Gogithub.com/traefik_traefik_v2< 2.11.37

▶Gogithub.com/traefik_traefik_v3< 3.6.8

▶Gogithub.com/centrifugal_centrifugo_v6< 6.6.1

Patches

Patch: go.dev ↗

🔴Vulnerability Details

OSV

Terraform Provider for ArgoCD has possible exposure to GO-2026-4337 / CVE-2025-68121 in github.com/argoproj-labs/terraform-provider-argocd↗2026-03-23

▶

GHSA

Terraform Provider for ArgoCD has possible exposure to GO-2026-4337 / CVE-2025-68121↗2026-03-18

▶

OSV

Terraform Provider for ArgoCD has possible exposure to GO-2026-4337 / CVE-2025-68121↗2026-03-18

▶

OSV

Traefik affected by TLS ClientAuth Bypass on HTTP/3↗2026-02-20

▶

GHSA

Traefik affected by TLS ClientAuth Bypass on HTTP/3↗2026-02-20

▶

📋Vendor Advisories

Microsoft

Unexpected session resumption in crypto/tls↗2026-02-10

▶

Red Hat

crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption↗2026-02-05

▶

Debian

CVE-2025-68121: golang-1.15 - During session resumption in crypto/tls, if the underlying Config has its Client...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-68121 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

GHSA-j9wf-6r2x-hqmx Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2025-68121 crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption↗2026-02-05

▶