CVE-2025-68121 – This vulnerability in Go's crypto/tls package a... (How to Fix)

Q: What is the severity of CVE-2025-68121?

CVE-2025-68121 has a CVSS score of 10.0 (CRITICAL). This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it should fail due to certificate authority configuration changes between handshakes. It affects Go applications that use TLS session resumption with mutable Config objects, potentially allowing clients or servers to resume sessions with untrusted parties.

📋 TL;DR

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it should fail due to certificate authority configuration changes between handshakes. It affects Go applications that use TLS session resumption with mutable Config objects, potentially allowing clients or servers to resume sessions with untrusted parties.

💻 Affected Systems

Products:

Go programming language

Versions: Go 1.23.0 through 1.23.2

Operating Systems: All platforms running affected Go versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using TLS session resumption with Config.Clone() or Config.GetConfigForClient() and mutating ClientCAs/RootCAs fields between handshakes.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could establish a TLS session with a legitimate server, then resume that session after the server's trusted CA list has been modified, allowing the attacker to maintain encrypted communication even after being removed from the trust list.

🟠

Likely Case

Accidental session resumption with servers or clients that should no longer be trusted due to configuration changes, potentially bypassing intended security controls.

🟢

If Mitigated

Limited impact if applications don't use session resumption or properly manage Config objects without mutation.

🌐 Internet-Facing: MEDIUM - Affects TLS connections to/from internet-facing services, but requires specific configuration scenarios.

🏢 Internal Only: MEDIUM - Similar risk for internal services using TLS with session resumption.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to trigger TLS session resumption and control over Config mutation timing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.23.3

Vendor Advisory: https://groups.google.com/g/golang-announce/c/K09ubi9FQFk

Restart Required: Yes

Instructions:

1. Update Go to version 1.23.3 or later. 2. Recompile affected applications. 3. Redeploy updated applications. 4. Restart services using the patched Go runtime.

🔧 Temporary Workarounds

Disable TLS session resumption

all

Configure applications to disable TLS session resumption entirely

// In Go code: config.SessionTicketsDisabled = true

Avoid Config mutation

all

Ensure Config objects are not mutated between initial and resumed handshakes

// Do not modify ClientCAs or RootCAs fields after initial handshake

🧯 If You Can't Patch

Disable TLS session resumption in all affected applications
Implement monitoring for unexpected session resumptions and review Config mutation patterns

🔍 How to Verify

Check if Vulnerable:

Check if application uses Go 1.23.0-1.23.2 and employs TLS session resumption with Config.Clone() or Config.GetConfigForClient() that mutates CA fields.

Check Version:

go version

Verify Fix Applied:

Verify Go version is 1.23.3 or later and application has been recompiled with updated Go toolchain.

📡 Detection & Monitoring

Log Indicators:

Unexpected successful TLS session resumptions after CA configuration changes
TLS handshake failures followed by successful resumptions

Network Indicators:

TLS session tickets being reused after trust configuration changes

SIEM Query:

Search for TLS handshake patterns where session resumption succeeds shortly after CA configuration modifications

📊 Metadata

CVE ID: CVE-2025-68121

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-295

EPSS Score: 0.01% exploit probability (2.4th percentile)

Published: February 5, 2026

Last Updated: February 20, 2026

🔗 References

https://go.dev/cl/737700 Patch
https://go.dev/issue/77217 Exploit,Issue Tracking
https://groups.google.com/g/golang-announce/c/K09ubi9FQFk Mailing List,Third Party Advisory
https://pkg.go.dev/vuln/GO-2026-4337 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68121, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Go by Golang

Go by Golang

Go by Golang

Go by Golang

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable TLS session resumption

Avoid Config mutation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities