Go Releases Critical Security Updates in Versions 1.25.6 and 1.24.12 to Address Severe Vulnerabilities
The Go programming language team has urgently released versions 1.25.6 and 1.24.12 to rectify six critical security vulnerabilities that pose significant risks to developers and organizations utilizing Go’s standard library. These vulnerabilities encompass denial-of-service (DoS) attacks, arbitrary code execution, and issues within the Transport Layer Security (TLS) protocol, potentially exposing systems to remote exploitation.
Overview of the Security Flaws:
1. Denial-of-Service via Memory Exhaustion in net/http:
The `net/http` package’s `Request.ParseForm` function is susceptible to memory exhaustion. Attackers can craft malicious URL-encoded forms with an excessive number of key-value pairs, leading to substantial memory allocations that can overwhelm and incapacitate servers.
2. DoS through archive/zip’s Filename Indexing:
The `archive/zip` package exhibits super-linear filename indexing behavior. By creating specially crafted ZIP archives, attackers can exploit this flaw to cause a DoS condition, disrupting services that process such archives.
3. Arbitrary Code Execution via cmd/go:
Two critical vulnerabilities within the `cmd/go` tool have been identified:
– CgoPkgConfig Flag Bypass: This flaw allows the `pkg-config` tool to execute with unsafe inputs, potentially leading to arbitrary code execution.
– VCS Toolchain Misinterpretation: Malicious module versions or domains can be crafted to execute code or overwrite files when processed through custom `go get` paths, excluding the `@latest` version.
4. TLS Protocol Misconfigurations in crypto/tls:
Several issues within the `crypto/tls` package have been addressed:
– Session Ticket Key Leakage: The `Config.Clone` function inadvertently leaked auto-generated session ticket keys, allowing unauthorized session resumptions across different configurations.
– Certificate Chain Expiration Ignored: The system failed to properly check the expiration of the full certificate chain, potentially accepting expired certificates.
– Incorrect Processing of Handshake Messages: Processing handshake messages at incorrect encryption levels could lead to information disclosure through injected packets.
Detailed Vulnerability Information:
| CVE ID | Component | Description Summary | Go Issue Link | Reporter |
|——————|————–|————————————————————————————-|———————————–|———————————-|
| CVE-2025-61728 | archive/zip | Super-linear filename indexing causes DoS on malicious ZIPs | [Issue 77102](https://go.dev/issue/77102) | Jakub Ciolek |
| CVE-2025-61726 | net/http | Memory exhaustion from excessive form key-value pairs | [Issue 77101](https://go.dev/issue/77101) | jub0bs |
| CVE-2025-68121 | crypto/tls | Config.Clone leaks session keys; ignores full cert chain expiration | [Issue 77113](https://go.dev/issue/77113) | Coia Prant (rbqvq) |
| CVE-2025-61731 | cmd/go | CgoPkgConfig flag bypass leads to arbitrary code execution | [Issue 77100](https://go.dev/issue/77100) | RyotaK (GMO Flatt Security) |
| CVE-2025-68119 | cmd/go | VCS toolchain misinterpretation enables code execution/file writes | [Issue 77099](https://go.dev/issue/77099) | splitline (DEVCORE) |
| CVE-2025-61730 | crypto/tls | Handshake messages processed at incorrect encryption level (info disclosure) | [Issue 76443](https://go.dev/issue/76443) | Coia Prant (rbqvq) |
Recommendations for Developers:
It is imperative for developers and organizations to upgrade to Go version 1.25.6 or 1.24.12 immediately to mitigate these vulnerabilities. The Go team has made binary downloads available at [go.dev/dl](https://go.dev/dl), with comprehensive release notes accessible at [go.dev/doc/devel/release#go1.25.6](https://go.dev/doc/devel/release#go1.25.6).
To ensure a secure development environment:
– Update Dependencies: Review and update all project dependencies to incorporate the latest security patches.
– Rebuild Binaries: After updating, rebuild all binaries to ensure they are compiled with the patched versions of Go.
– Monitor for Exploitation: Stay vigilant for any signs of exploitation in your systems and apply additional security measures as necessary.
While Common Vulnerability Scoring System (CVSS) scores for these vulnerabilities have not been published yet, the potential for DoS and remote code execution underscores the severity of these issues. The proactive release of these patches highlights the Go team’s commitment to maintaining a secure and reliable programming environment.
