Vulnerability Report: GO-2025-4008

CVE-2025-58189, CVE-2025-58189
Affects: crypto/tls
Published: Oct 29, 2025

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

Affected Packages

Path

Versions

Symbols
crypto/tls

before go1.24.8, from go1.25.0 before go1.25.2
9 affected symbols

Aliases

CVE-2025-58189
CVE-2025-58189

References

https://go.dev/cl/707776
https://go.dev/issue/75652
https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI
https://vuln.go.dev/ID/GO-2025-4008.json

Credits

National Cyber Security Centre Finland

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL