CVE-2025-58185 – This vulnerability in Go's DER parsing allows a... (How to Fix)

Q: What is the severity of CVE-2025-58185?

CVE-2025-58185 has a CVSS score of 5.3 (MEDIUM). This vulnerability in Go's DER parsing allows an attacker to cause memory exhaustion by sending maliciously crafted DER payloads. It affects applications using Go's crypto/x509 or encoding/asn1 packages to parse untrusted DER data. Systems processing external certificates or ASN.1 data are primarily at risk.

📋 TL;DR

This vulnerability in Go's DER parsing allows an attacker to cause memory exhaustion by sending maliciously crafted DER payloads. It affects applications using Go's crypto/x509 or encoding/asn1 packages to parse untrusted DER data. Systems processing external certificates or ASN.1 data are primarily at risk.

💻 Affected Systems

Products:

Go programming language
Applications using Go's crypto/x509 package
Applications using Go's encoding/asn1 package

Versions: Go versions before 1.23.4 and 1.24.1

Operating Systems: All platforms running affected Go versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only applications that parse DER-encoded data from untrusted sources are vulnerable. Applications not using affected packages or not processing external DER data are not impacted.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through memory exhaustion, potentially crashing the application or causing system instability.

🟠

Likely Case

Application crashes or becomes unresponsive when processing malicious DER payloads, leading to service disruption.

🟢

If Mitigated

Limited impact with proper memory limits and input validation in place, though some performance degradation may occur.

🌐 Internet-Facing: MEDIUM - Applications accepting untrusted DER data from external sources are vulnerable to DoS attacks.

🏢 Internal Only: LOW - Only systems processing untrusted DER data internally are affected, reducing exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious DER payloads to vulnerable applications. No authentication needed if application accepts external input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.23.4 and Go 1.24.1

Vendor Advisory: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI

Restart Required: Yes

Instructions:

1. Update Go to version 1.23.4 or 1.24.1 using your package manager or official Go distribution. 2. Recompile all affected applications with the updated Go version. 3. Restart services using the patched applications.

🔧 Temporary Workarounds

Limit DER input size

all

Implement size limits on DER payloads before parsing to prevent memory exhaustion.

// Go code example: if len(derData) > maxAllowedSize { return error }

Input validation

all

Validate DER payloads come from trusted sources before parsing.

// Implement source validation before calling x509.ParseCertificate() or similar functions

🧯 If You Can't Patch

Implement strict input size limits on all DER parsing operations
Isolate DER parsing services in containers with memory limits

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version'. If version is before 1.23.4 or 1.24.1 and application parses untrusted DER data, it's vulnerable.

Check Version:

go version

Verify Fix Applied:

Verify Go version is 1.23.4 or 1.24.1 with 'go version' and confirm applications are recompiled with this version.

📡 Detection & Monitoring

Log Indicators:

Memory exhaustion errors
Application crashes during certificate parsing
High memory usage spikes during DER processing

Network Indicators:

Large DER payloads sent to services
Repeated DER parsing requests

SIEM Query:

source="application.logs" AND ("out of memory" OR "panic" OR "certificate parsing")

📊 Metadata

CVE ID: CVE-2025-58185

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-770

EPSS Score: 0.03% exploit probability (8.9th percentile)

Published: October 29, 2025

Last Updated: February 6, 2026

🔗 References

https://go.dev/cl/709856 Patch
https://go.dev/issue/75671 Issue Tracking
https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI Mailing List,Release Notes
https://pkg.go.dev/vuln/GO-2025-4011 Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/10/08/1 Mailing List,Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58185, you might also want to check these: