GO-2025-4155

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2025-4155

Import Source

https://vuln.go.dev/ID/GO-2025-4155.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2025-4155

Aliases

CVE-2025-61729

Published

2025-12-02T18:30:24Z

Modified

2025-12-02T19:27:42.521234Z

Summary

Excessive resource consumption when printing error string for host certificate validation in crypto/x509

Details

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2025-4155"
}

References

Credits

- Philippe Antoine (Catena cyber)

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.24.11

Introduced

1.25.0

Fixed

1.25.5

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "HostnameError.Error"
            ],
            "path": "crypto/x509"
        }
    ]
}