Go 1.25.6 and 1.24.12 Patch Critical Vulnerabilities Lead to DoS and Memory Exhaustion Risks
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
The Go programming language team has rolled out emergency point releases, Go 1.25.6 and 1.24.12, to address six high-impact security flaws.<\/p>\n
These updates fix denial-of-service (DoS)<\/a> vectors, arbitrary code execution risks, and TLS mishandlings that could expose developers to remote attacks.<\/p>\n While not branded as version 1.26, the patches urge immediate upgrades for projects relying on Go\u2019s standard library, especially in web servers, crypto tools, and build systems.<\/p>\n Announced via official channels, the releases follow<\/a> Go\u2019s strict security policy, crediting external researchers for disclosures.<\/p>\n Binary downloads are available at go.dev\/dl, with full notes at go.dev\/doc\/devel\/release#go1.25.6. Attackers could exploit these in unpatched environments, from ZIP parsers to TLS handshakes.<\/p>\n Among the fixes, net\/http\u2019s Request.ParseForm stands out for memory exhaustion. Malicious URL-encoded forms with excessive key-value pairs trigger outsized allocations, crippling servers under load. Similarly, archive\/zip\u2019s super-linear filename indexing invites DoS via crafted archives.<\/p>\n More severe are cmd\/go flaws enabling code execution. CgoPkgConfig bypassed flag sanitization, running pkg-config with unsafe inputs. Toolchain VCS handling (Git\/Mercurial) allowed malicious module versions or domains to execute code or overwrite files triggerable via custom go get paths, though not @latest.<\/p>\n TLS issues compound risks: Config.Clone leaked auto-generated session ticket keys, enabling unauthorized resumptions across configs.<\/p>\n Session checks ignored full certificate chain<\/a> expirations, and handshake messages processed at the wrong encryption levels risked info leaks from injected packets.<\/p>\n Developers should pin to 1.25.6 or 1.24.12 immediately, rebuilding binaries via git checkout go1.25.6<\/em>. Scan dependencies for vulnerable modules.<\/p>\n No CVSS scores are published yet, but DoS and RCE potentials rate high. Go\u2019s proactive patching underscores supply-chain hygiene in 2026\u2019s threat landscape.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Go 1.25.6 and 1.24.12 Patch Critical Vulnerabilities Lead to DoS and Memory Exhaustion Risks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKey Vulnerabilities and Exploit Paths<\/strong><\/h2>\n
\n\n
\n \nCVE ID<\/th>\n Component<\/th>\n Description Summary<\/th>\n Go Issue Link<\/th>\n Reporter<\/th>\n<\/tr>\n<\/thead>\n \n CVE-2025-61728<\/td>\n archive\/zip<\/td>\n Super-linear filename indexing causes DoS on malicious ZIPs<\/td>\n go.dev\/issue\/77102<\/a><\/td>\n Jakub Ciolek<\/td>\n<\/tr>\n \n CVE-2025-61726<\/td>\n net\/http<\/td>\n Memory exhaustion from excessive form key-value pairs<\/td>\n go.dev\/issue\/77101<\/a><\/td>\n jub0bs<\/td>\n<\/tr>\n \n CVE-2025-68121<\/td>\n crypto\/tls<\/td>\n Config.Clone leaks session keys; ignores full cert chain expiration<\/td>\n go.dev\/issue\/77113<\/a><\/td>\n Coia Prant (rbqvq)<\/td>\n<\/tr>\n \n CVE-2025-61731<\/td>\n cmd\/go<\/td>\n CgoPkgConfig flag bypass leads to arbitrary code execution<\/td>\n go.dev\/issue\/77100<\/a><\/td>\n RyotaK (GMO Flatt Security)<\/td>\n<\/tr>\n \n CVE-2025-68119<\/td>\n cmd\/go<\/td>\n VCS toolchain misinterpretation enables code exec\/file writes<\/td>\n go.dev\/issue\/77099<\/a><\/td>\n splitline (DEVCORE)<\/td>\n<\/tr>\n \n CVE-2025-61730<\/td>\n crypto\/tls<\/td>\n Handshake messages processed at incorrect encryption level (info disclosure)<\/td>\n go.dev\/issue\/76443<\/a><\/td>\n Coia Prant (rbqvq)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Upgrade and Mitigation Advice<\/strong><\/h2>\n