CVE-2025-61729
Excessive resource consumption when printing error string for host certificate validation in crypto/x509
7.5
HIGH
CVSS 3.1
EPSS 0.02%
Description
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
How to fix CVE-2025-61729
To remediate CVE-2025-61729, upgrade the affected package to a fixed version below.
- —upgrade to 1.24.11 or later
- —no fix listed
- —no fix listed
- —no fix listed
- —upgrade to 1.25.6-1 or later
- —upgrade to 1.24.11 or later
Is CVE-2025-61729 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 1.24.11, >= 1.25.0, < 1.25.5
- from 0
- from 0
- from 0
- from 0, < 1.25.6-1
- from 0, < 1.24.11, >= 1.25.0, < 1.25.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |