The Go development team has released Go versions 1.25.6 and 1.24.12, addressing six critical security vulnerabilities that could enable denial-of-service attacks, arbitrary code execution, and unauthorised session resumption.
These minor point releases follow the Go security policy and represent significant hardening efforts across core cryptographic, networking, and toolchain components.
The most impactful vulnerability stems from memory exhaustion flaws in the net/http Request.ParseForm function, where insufficient validation of URL-encoded form data could trigger unexpected memory allocation during parsing.
| CVE | Component | Severity | Impact |
|---|---|---|---|
| CVE-2025-61728 | archive/zip | High | Denial of service via super-linear indexing algorithm |
| CVE-2025-61726 | net/http | High | Memory exhaustion and denial of service |
| CVE-2025-68121 | crypto/tls | High | Unauthorized session resumption and authentication bypass |
| CVE-2025-61731 | cmd/go | Critical | Arbitrary code execution through unsanitized compiler flags |
| CVE-2025-68119 | cmd/go | Critical | Remote code execution and arbitrary file writes |
| CVE-2025-61730 | crypto/tls | Medium | Minor information disclosure via network-local injection |
Malicious actors exploiting this vulnerability could exhaust available system memory, rendering applications unresponsive.
The archive/zip vulnerability compounds denial-of-service risks by using a superlinear file indexing algorithm that inefficiently processes malicious ZIP archives, resulting in severe performance degradation when opening archived files.
Beyond availability threats, the crypto/tls module contained a critical session resumption flaw where Config.Clone inadvertently copied automatically generated session ticket keys between instances.
This architectural oversight allowed clients to resume sessions across separate configurations that should maintain isolation.
Additionally, the server-side implementation failed to validate the whole certificate chain’s expiration during resumption, allowing sessions to persist even when intermediate or root certificates expired.
These flaws created conditions that could bypass authentication and compromise the integrity of encrypted communication.
The cmd/go toolchain vulnerabilities introduce remote code execution pathways through VCS integration, as reported by Google.
The CgoPkgConfig flag sanitization bypass allowed unsanitized compiler flags to reach pkg-config, while VCS command construction on Mercurial-equipped systems enabled unexpected execution during module downloads.
Git installations were exploited by malicious version strings written to arbitrary file locations. Developers should prioritise immediate updates to eliminate these attack vectors.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.