The Go team has officially released versions 1.25.7 and 1.24.13. These minor point releases address two distinct security vulnerabilities affecting the cmd/cgo command and the crypto/tls library.
The updates are recommended for all users to prevent potential code smuggling and authentication bypass scenarios.
Overview of the Vulnerability
The first vulnerability, tracked as CVE-2025-61732, affects the cmd/cgo tool, which enables the creation of Go packages that call C code.
The issue stems from a discrepancy in how the Go compiler and C/C++ compilers parse comments.
Attackers could exploit this parsing difference to smuggle code into the resulting cgo binary.
By crafting specific comment structures, malicious instructions could hide within documentation strings, executing code that the developer intended to be ignored as comments.
To resolve this, the cgo compiler in the new versions no longer parses user-provided documentation comments in cgo Abstract Syntax Trees (ASTs). This issue was reported by RyotaK of GMO Flatt Security Inc.
crypto/tls: Authentication Bypass in Session Resumption
The second issue involves the crypto/tls package and is an update to CVE-2025-68121. This vulnerability triggers unexpected behavior when using Config.GetConfigForClient.
By default, GetConfigForClient utilizes the session ticket keys from the original configuration unless explicitly overridden.
The security flaw occurs if the returned configuration modifies authentication parameters, such as ClientCAs.
In this scenario, a connection established with the parent configuration could be resumed, effectively bypassing the modified authentication requirements of the new configuration.
With this patch, crypto/tls now actively verifies that the root of the previously verified chain remains present in ClientCAs or RootCAs when resuming a connection.
This logic applies when ClientAuth is set to VerifyClientCertIfGiven or RequireAndVerifyClientCert. This finding is credited to Coia Prant.
| CVE ID | Component | Severity / Type | Description |
|---|---|---|---|
| CVE-2025-61732 | cmd/cgo | Code Injection | Discrepancy in comment parsing between Go and C/C++ allows code smuggling in cgo binaries. |
| CVE-2025-68121 | crypto/tls | Auth Bypass | Session resumption using GetConfigForClient may bypass updated authentication parameters (e.g., ClientCAs). |
Developers should update their Go environments immediately. Binary and source distributions are available on the official Go download page.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google