CVE-2025-61730 – This TLS 1.3 vulnerability in Go's crypto/tls l... (How to Fix)

Q: What is the severity of CVE-2025-61730?

CVE-2025-61730 has a CVSS score of 5.3 (MEDIUM). This TLS 1.3 vulnerability in Go's crypto/tls library allows a network-local attacker to inject messages during handshake, potentially causing minor information disclosure when messages span encryption level boundaries. It affects applications using Go's TLS implementation for secure communications.

📋 TL;DR

This TLS 1.3 vulnerability in Go's crypto/tls library allows a network-local attacker to inject messages during handshake, potentially causing minor information disclosure when messages span encryption level boundaries. It affects applications using Go's TLS implementation for secure communications.

💻 Affected Systems

Products:

Go programming language
Applications using Go's crypto/tls package

Versions: Go versions before 1.24.0 and 1.23.7

Operating Systems: All platforms running affected Go versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects TLS 1.3 connections using Go's implementation. Applications must be actively establishing TLS connections.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker could potentially intercept or manipulate small amounts of handshake data, though full session compromise is unlikely due to encryption boundaries.

🟠

Likely Case

Minor information leakage about handshake timing or message ordering, potentially revealing implementation details.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is minimal as attacker must be network-local and timing is critical.

🌐 Internet-Facing: LOW - Requires network-local attacker position and precise timing during handshake.

🏢 Internal Only: MEDIUM - Internal attackers with network access could potentially exploit this during TLS handshakes between internal services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

Exploitation requires precise timing and network-local position during TLS handshake. No public exploits available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.24.0 or Go 1.23.7

Vendor Advisory: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

Restart Required: Yes

Instructions:

1. Update Go to version 1.24.0 or 1.23.7. 2. Recompile affected applications. 3. Restart services using the updated Go runtime.

🔧 Temporary Workarounds

Disable TLS 1.3

all

Configure applications to use TLS 1.2 instead of TLS 1.3

Set MinVersion: tls.VersionTLS12 in tls.Config

🧯 If You Can't Patch

Implement strict network segmentation to limit potential attackers
Monitor for unusual TLS handshake patterns or timing anomalies

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version'. If version is below 1.24.0 and not 1.23.7, system is vulnerable.

Check Version:

go version

Verify Fix Applied:

Verify Go version is 1.24.0 or 1.23.7 with 'go version' command.

📡 Detection & Monitoring

Log Indicators:

Unusual TLS handshake failures
Multiple handshake attempts from same source

Network Indicators:

Abnormal TLS 1.3 handshake timing
Multiple messages in single records during handshake

SIEM Query:

tls.handshake AND (tls.version:1.3) AND (event.duration > threshold)

📊 Metadata

CVE ID: CVE-2025-61730

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score: 0.02% exploit probability (5.8th percentile)

Published: January 28, 2026

Last Updated: February 3, 2026

🔗 References

https://go.dev/cl/724120 Patch
https://go.dev/issue/76443 Patch
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc Release Notes
https://pkg.go.dev/vuln/GO-2026-4340 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON