Vulnerability Report: GO-2025-4155

CVE-2025-61729, CVE-2025-61729
Affects: crypto/x509
Published: Dec 02, 2025
Modified: Dec 03, 2025

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected Packages

Path

Versions

Symbols
crypto/x509

before go1.24.11, from go1.25.0 before go1.25.5
- Certificate.Verify
- Certificate.VerifyHostname

Aliases

CVE-2025-61729
CVE-2025-61729

References

https://go.dev/cl/725920
https://go.dev/issue/76445
https://groups.google.com/g/golang-announce/c/8FJoBkPddm4
https://vuln.go.dev/ID/GO-2025-4155.json

Credits

Philippe Antoine (Catena cyber)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL