Home

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

PUBLISHED Reserved 2025-09-30 | Published 2025-12-02 | Updated 2025-12-03 | Assigner Go

Problem types

CWE-400: Uncontrolled Resource Consumption

Product status

Default status
unaffected

Any version before 1.24.11
affected

1.25.0 (semver) before 1.25.5
affected

Credits

Philippe Antoine (Catena cyber)

References

go.dev/cl/725920

go.dev/issue/76445

groups.google.com/g/golang-announce/c/8FJoBkPddm4

pkg.go.dev/vuln/GO-2025-4155

cve.org (CVE-2025-61729)

nvd.nist.gov (CVE-2025-61729)