The Go programming language team has rolled out emergency point releases, Go 1.25.6 and 1.24.12, to address six high-impact security flaws.
These updates fix denial-of-service (DoS) vectors, arbitrary code execution risks, and TLS mishandlings that could expose developers to remote attacks.
While not branded as version 1.26, the patches urge immediate upgrades for projects relying on Go’s standard library, especially in web servers, crypto tools, and build systems.
Announced via official channels, the releases follow Go’s strict security policy, crediting external researchers for disclosures.
Binary downloads are available at go.dev/dl, with full notes at go.dev/doc/devel/release#go1.25.6. Attackers could exploit these in unpatched environments, from ZIP parsers to TLS handshakes.
Key Vulnerabilities and Exploit Paths
Among the fixes, net/http’s Request.ParseForm stands out for memory exhaustion. Malicious URL-encoded forms with excessive key-value pairs trigger outsized allocations, crippling servers under load. Similarly, archive/zip’s super-linear filename indexing invites DoS via crafted archives.
More severe are cmd/go flaws enabling code execution. CgoPkgConfig bypassed flag sanitization, running pkg-config with unsafe inputs. Toolchain VCS handling (Git/Mercurial) allowed malicious module versions or domains to execute code or overwrite files triggerable via custom go get paths, though not @latest.
TLS issues compound risks: Config.Clone leaked auto-generated session ticket keys, enabling unauthorized resumptions across configs.
Session checks ignored full certificate chain expirations, and handshake messages processed at the wrong encryption levels risked info leaks from injected packets.
| CVE ID | Component | Description Summary | Go Issue Link | Reporter |
|---|---|---|---|---|
| CVE-2025-61728 | archive/zip | Super-linear filename indexing causes DoS on malicious ZIPs | go.dev/issue/77102 | Jakub Ciolek |
| CVE-2025-61726 | net/http | Memory exhaustion from excessive form key-value pairs | go.dev/issue/77101 | jub0bs |
| CVE-2025-68121 | crypto/tls | Config.Clone leaks session keys; ignores full cert chain expiration | go.dev/issue/77113 | Coia Prant (rbqvq) |
| CVE-2025-61731 | cmd/go | CgoPkgConfig flag bypass leads to arbitrary code execution | go.dev/issue/77100 | RyotaK (GMO Flatt Security) |
| CVE-2025-68119 | cmd/go | VCS toolchain misinterpretation enables code exec/file writes | go.dev/issue/77099 | splitline (DEVCORE) |
| CVE-2025-61730 | crypto/tls | Handshake messages processed at incorrect encryption level (info disclosure) | go.dev/issue/76443 | Coia Prant (rbqvq) |
Upgrade and Mitigation Advice
Developers should pin to 1.25.6 or 1.24.12 immediately, rebuilding binaries via git checkout go1.25.6. Scan dependencies for vulnerable modules.
No CVSS scores are published yet, but DoS and RCE potentials rate high. Go’s proactive patching underscores supply-chain hygiene in 2026’s threat landscape.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
