CVE-2025-61730
Handshake messages may be processed at the incorrect encryption level in crypto/tls
5.3
MEDIUM
CVSS 3.1
EPSS 0.01%
Description
During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.
How to fix CVE-2025-61730
To remediate CVE-2025-61730, upgrade the affected package to a fixed version below.
- —upgrade to 1.24.12 or later
- —no fix listed
- —no fix listed
- —no fix listed
- —upgrade to 1.25.6-1 or later
- —upgrade to 1.24.12 or later
Is CVE-2025-61730 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 1.24.12, >= 1.25.0, < 1.25.6
- from 0
- from 0
- from 0
- from 0, < 1.25.6-1
- from 0, < 1.24.12, >= 1.25.0, < 1.25.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |