CVE-2025-61730

🔶 medium

Summary

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

CVSS Score

5.3

Medium

EPSS Score

0.0

Exploit Probability

Published Date

2026-01-28

First Seen: 2026-01-29

Last Modified 2026-02-03

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

🔗 References 4

https://go.dev/cl/724120

Patch

https://go.dev/issue/76443

Patch

https://groups.google.com/g/golang-announce/c/Vd2tYV...

Release Notes

https://pkg.go.dev/vuln/GO-2026-4340

Vendor Advisory

📦 Affected Products 2

Vendor	Product	Status	Affected Versions
golang	go	Affected	< 1.24.12
golang	go	Affected	> 1.25.0 < 1.25.6

🔗 Related CVEs 6

CVE ID	Severity	CVSS	Summary	Published
CVE-2025-61726	⚠️ high	7.5	The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query p...	2026-01-28
CVE-2025-61728	🔶 medium	6.5	archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is open...	2026-01-28
CVE-2025-61731	⚠️ high	7.8	Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of...	2026-01-28
CVE-2025-68119	⚠️ high	7.0	Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercuria...	2026-01-28
CVE-2025-61727	🔶 medium	6.5	An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certifi...	2025-12-03
CVE-2025-61729	⚠️ high	7.5	Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be p...	2025-12-02

These CVEs affect the same products