Login Sign Up

CVE-2025-61729

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Go's HostnameError.Error() function allows a malicious certificate to cause excessive resource consumption through unbounded string concatenation. It affects applications using Go's crypto/tls package for certificate validation. The quadratic runtime complexity can lead to denial of service conditions.

💻 Affected Systems

Products:
  • Go programming language
  • Applications using Go's crypto/tls package
Versions: Go 1.23.0 through 1.23.2
Operating Systems: All platforms running affected Go versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications that perform TLS certificate validation using Go's standard library.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service due to CPU/memory exhaustion, potentially crashing the application or making it unresponsive.

🟠

Likely Case

Degraded performance and increased resource usage when processing malicious certificates, leading to service disruption.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH - TLS endpoints accepting external certificates are directly exposed.
🏢 Internal Only: MEDIUM - Internal services using TLS with certificate validation are still vulnerable but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires presenting a specially crafted certificate to a vulnerable TLS endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.23.3

Vendor Advisory: https://groups.google.com/g/golang-announce/c/8FJoBkPddm4

Restart Required: Yes

Instructions:

1. Update Go to version 1.23.3 or later. 2. Recompile all affected applications. 3. Restart services using the updated binaries.

🔧 Temporary Workarounds

Limit certificate SAN entries

all

Configure TLS endpoints to reject certificates with excessive Subject Alternative Name entries.

Implement rate limiting

all

Add rate limiting on TLS handshake attempts to mitigate DoS impact.

🧯 If You Can't Patch

  • Implement network-level protections like WAF rules to block certificates with excessive SAN entries.
  • Deploy resource limits (CPU, memory) on affected services to contain potential DoS impact.

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version'. If output shows 1.23.0-1.23.2, the system is vulnerable.

Check Version:

go version

Verify Fix Applied:

After updating, verify with 'go version' shows 1.23.3 or later.

📡 Detection & Monitoring

Log Indicators:

  • Unusually long error messages containing hostname lists
  • Increased CPU/memory usage during TLS handshakes
  • TLS handshake timeouts or failures

Network Indicators:

  • TLS connections presenting certificates with many SAN entries
  • Unusual volume of TLS handshake attempts

SIEM Query:

source="tls_logs" AND (message="*HostnameError*" OR message="*too many hostnames*")

📊 Metadata

CVE ID: CVE-2025-61729
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-295
EPSS Score: 0.02% exploit probability (3.7th percentile)
Published: December 2, 2025
Last Updated: December 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61729, you might also want to check these:

CVE-2025-68121 10.0

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it shoul...

Same vulnerability type (CWE-295)
CVE-2024-5261 9.8

LibreOfficeKit mode in LibreOffice versions before 24.2.4 disables TLS certificate verification when...

Same vulnerability type (CWE-295)
CVE-2023-51837 9.8

MeshCentral 1.1.16 fails to properly validate SSL certificates when establishing connections, allowi...

Same vulnerability type (CWE-295)