| Name | CVE-2025-61729 |
| Description | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1121847, 1121848 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| golang-1.15 (PTS) | bullseye | 1.15.15-1~deb11u4 | vulnerable |
| golang-1.19 (PTS) | bookworm | 1.19.8-2 | vulnerable |
| golang-1.24 (PTS) | trixie | 1.24.4-1 | vulnerable |
| forky, sid | 1.24.9-1 | vulnerable | |
| golang-1.25 (PTS) | forky, sid | 1.25.3-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| golang-1.15 | source | (unstable) | (unfixed) | |||
| golang-1.19 | source | (unstable) | (unfixed) | |||
| golang-1.24 | source | (unstable) | (unfixed) | 1121848 | ||
| golang-1.25 | source | (unstable) | (unfixed) | 1121847 |
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
https://groups.google.com/g/golang-announce/c/8FJoBkPddm4
https://go-review.googlesource.com/c/go/+/725920
https://github.com/golang/go/issues/76445
Fixed by: https://github.com/golang/go/commit/f7bce4bd6f7b13de8d9f06f7f262e3b60381e7e9 (go1.25.5)
Fixed by: https://github.com/golang/go/commit/3a842bd5c6aa8eefa13c0174de3ab361e50bd672 (go1.24.11)