CVE-2025-61728 – This vulnerability in Go's archive/zip package ... (How to Fix)

Q: What is the severity of CVE-2025-61728?

CVE-2025-61728 has a CVSS score of 6.5 (MEDIUM). This vulnerability in Go's archive/zip package uses an inefficient file name indexing algorithm that can be exploited via specially crafted ZIP archives. Attackers can cause denial of service by forcing excessive CPU consumption when processing malicious archives. This affects any Go application that processes ZIP files from untrusted sources.

📋 TL;DR

This vulnerability in Go's archive/zip package uses an inefficient file name indexing algorithm that can be exploited via specially crafted ZIP archives. Attackers can cause denial of service by forcing excessive CPU consumption when processing malicious archives. This affects any Go application that processes ZIP files from untrusted sources.

💻 Affected Systems

Products:

Go programming language
Applications using Go's archive/zip package

Versions: Go versions before 1.24.0 and 1.23.5

Operating Systems: All platforms running affected Go versions

Default Config Vulnerable: ⚠️ Yes

Notes: All applications using archive/zip package are vulnerable when processing ZIP archives from untrusted sources.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, potentially affecting multiple services on the same host through resource starvation.

🟠

Likely Case

Degraded performance or temporary unavailability of services processing ZIP files, requiring manual intervention to restore service.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place, though some performance degradation may still occur.

🌐 Internet-Facing: MEDIUM - Many internet-facing services process ZIP uploads, but exploitation requires file upload capability.

🏢 Internal Only: LOW - Internal systems typically process trusted ZIP files, though risk exists if processing user-generated content.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in Go issue tracker. Exploitation requires only file upload capability, no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.24.0 or Go 1.23.5

Vendor Advisory: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

Restart Required: Yes

Instructions:

1. Update Go installation to version 1.24.0 or 1.23.5. 2. Recompile all affected applications. 3. Restart services using the updated binaries.

🔧 Temporary Workarounds

Limit ZIP file processing

all

Implement size limits and timeout controls for ZIP file processing

Input validation

all

Validate ZIP files before processing, reject archives with excessive file counts

🧯 If You Can't Patch

Implement strict file size limits for ZIP uploads (e.g., <10MB)
Use rate limiting and monitoring for ZIP processing endpoints

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version'. If version is before 1.24.0 and not 1.23.5, system is vulnerable.

Check Version:

go version

Verify Fix Applied:

Verify Go version is 1.24.0 or 1.23.5, then test with known malicious ZIP sample to ensure no CPU exhaustion.

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes during file processing
ZIP processing timeouts
Application crashes during archive extraction

Network Indicators:

Large ZIP file uploads followed by service degradation
Repeated ZIP upload attempts

SIEM Query:

source="application.logs" AND ("zip" OR "archive") AND ("timeout" OR "high cpu" OR "denial of service")

📊 Metadata

CVE ID: CVE-2025-61728

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.02% exploit probability (3.2th percentile)

Published: January 28, 2026

Last Updated: February 6, 2026

🔗 References

https://go.dev/cl/736713 Patch
https://go.dev/issue/77102 Patch
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc Release Notes
https://pkg.go.dev/vuln/GO-2026-4342 Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/01/15/4 Exploit,Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61728, you might also want to check these: