For versions 1.25.6 and 1.24.12, the Go programming language team has released security updates that fix six serious flaws, including denial-of-service attacks, memory exhaustion, and arbitrary code execution This article explores violations dos vulnerabilities. . These patches adhere to Go's PRIVATE track security policy, which uses planned minor releases to address security property violations.

DoS vulnerabilities and memory exhaustion Patched The most serious vulnerability is in the archive/zip package (CVE-2025-61728), where opening files in ZIP archives triggers a super-linear file name indexing algorithm. Through computational exhaustion, attackers can create malicious archives that cause denial of service. This vulnerability was found by security researcher Jakub Ciolek and fixed in the most recent releases. The Request parseForm function in net/http is affected by a second memory exhaustion problem (CVE-2025-61726).

DoS conditions result from the parser allocating too much memory when processing URL-encoded forms with a lot of key-value pairs. This vulnerability was immediately mitigated in the patched versions after researcher jub0bs reported it. There were three different vulnerabilities in the crypto/TLS module.

Config. Clone incorrectly copies automatically generated session ticket keys, enabling unauthorized session resumption (CVE-2025-68121). Furthermore, the server-side implementation ignored expired intermediate or root certificates and only confirmed leaf certificate expiration during session resumption. Coia Prant reported both problems.

CVE ID Component Impact Reporter CVE-2025-61728 archive/zip DoS through malicious ZIP files CVE-2025-61726 net/http Jakub Ciolek ParseForm jub0bs CVE-2025-68121 crypto/tls memory exhaustion Resuming a session without authorization CVE-2025-61731 cmd/go Coia Prant CgoPkg's arbitrary code executionExecution of RyotaK CVE-2025-68119 cmd/go Code using VCS commands splitline CVE-2025-61730 crypto/tls Disclosure of information during a handshake Prant Coia When multiple messages cross encryption boundaries, a third TLS vulnerability (CVE-2025-61730) allowed handshake messages to be processed at incorrect encryption levels, potentially exposing data to network-local attackers. Arbitrary code execution was made possible by two serious toolchain flaws. CgoPkgConfig was impacted by CVE-2025-61731, which allowed unsanitized compiler flags to run pkg-config with malicious parameters.

This flag sanitization circumvention was discovered by RyotaK from GMO Flatt Security Inc. The VCS integration of the Go toolchain was affected by CVE-2025-68119.

When downloading modules from non-standard sources or creating modules with malicious version strings, systems running Mercurial or Git could run arbitrary code. Version strings that begin with "-" or "-" characters are now prohibited by the toolchain. Splitline from the DEVCORE Research Team found this vulnerability.

Splitline from the DEVCORE Research Team found the vulnerability.