SB2025110705 - Multiple vulnerabilities in Google Go programming language
Published: November 7, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2025-61724)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in net/textproto due to the Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. A remote attacker can trigger excessive CPU consumption and perform a denial of service (DoS) attack.
2) Resource exhaustion (CVE-ID: CVE-2025-58183)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in archive/tar due to the tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A remote attacker can pass a specially crafted archive to the application and perform a denial of service (DoS) attack.
3) Input validation error (CVE-ID: CVE-2025-58188)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in crypto/x509 due to an error when validating certificate chains which contain DSA public keys. A remote attacker can pass a specially crafted certificate to the application and crash it.
4) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-58186)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in net/http due to the application does not limit the number of cookies sent in the request. A remote attacker can send a lot of very small cookies such as "a=;" and cause large memory consumption.
5) Resource exhaustion (CVE-ID: CVE-2025-58185)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in encoding/asn1 due to application does not properly control consumption of internal resources when parsing DER payloads. A remote attacker can trigger memory exhaustion and perform a denial of service (DoS) attack.
6) Input validation error (CVE-ID: CVE-2025-47912)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists in net/url due to the Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. A remote attacker can abuse such behavior to perform spoofing attacks.
7) Resource exhaustion (CVE-ID: CVE-2025-61723)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in encoding/pem due to application does not properly control consumption of internal resources when parsing untrusted PEM input. A remote attacker can trigger CPU exhaustion and perform a denial of service (DoS) attack.
8) Improper Encoding or Escaping of Output (CVE-ID: CVE-2025-58189)
The vulnerability allows a remote attacker to perform spoofing attacks.
The vulnerability exists due to missing sanitization of input data when the Conn.Handshake fails during ALPN negotiation in crypto/tls. A remote attacker can pass specially crafted input via an error message and influence the application behavior, leading to a potential spoofing attack.
9) Resource exhaustion (CVE-ID: CVE-2025-61725)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the ParseAddress function in net/mail does not properly control consumption of internal resources. A remote attacker can compose a specially crafted email message that triggers excessive CPU consumption leading to denial of service.
Remediation
Install update from vendor's website.
References
- https://go.dev/cl/709859
- https://go.dev/issue/75716
- https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI
- https://pkg.go.dev/vuln/GO-2025-4015
- https://go.dev/cl/709861
- https://go.dev/issue/75677
- https://pkg.go.dev/vuln/GO-2025-4014
- https://go.dev/cl/709853
- https://go.dev/issue/75675
- https://pkg.go.dev/vuln/GO-2025-4013
- https://go.dev/cl/709855
- https://go.dev/issue/75672
- https://pkg.go.dev/vuln/GO-2025-4012
- https://go.dev/cl/709856
- https://go.dev/issue/75671
- https://pkg.go.dev/vuln/GO-2025-4011
- https://go.dev/cl/709857
- https://go.dev/issue/75678
- https://pkg.go.dev/vuln/GO-2025-4010
- https://go.dev/cl/709858
- https://go.dev/issue/75676
- https://pkg.go.dev/vuln/GO-2025-4009
- https://go.dev/cl/707776
- https://go.dev/issue/75652
- https://pkg.go.dev/vuln/GO-2025-4008
- https://go.dev/cl/709860
- https://go.dev/issue/75680
- https://pkg.go.dev/vuln/GO-2025-4006