Vulnerability CVE-2025-61729: Information

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Severity: HIGH (7.5)

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2025-61729

Published: Dec. 2, 2025

Modified: Dec. 19, 2025

Error type identifier: CWE-295

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
cert-manager	sisyphus	1.19.2-alt1	1.19.2-alt1	ALT-PU-2025-15712-2	402588	Fixed
cert-manager	sisyphus_riscv64	1.19.2-alt1	1.19.2-alt1	ALT-PU-2026-1557-1	-	Fixed
cert-manager	sisyphus_loongarch64	1.19.2-alt1	1.19.2-alt1	ALT-PU-2026-1561-1	-	Fixed
cert-manager	p11	1.19.2-alt1	1.14.5-alt1	ALT-PU-2026-1640-2	405902	Testing
golang	sisyphus	1.25.5-alt1	1.25.6-alt1	ALT-PU-2025-15284-1	401652	Fixed
golang	sisyphus_riscv64	1.25.5-alt0.port	1.25.6-alt0.port	ALT-PU-2025-15335-1	-	Fixed
golang	sisyphus_loongarch64	1.25.5-alt1	1.25.6-alt1	ALT-PU-2025-15611-1	-	Fixed
golang	p10	1.24.12-alt1	1.24.12-alt1	ALT-PU-2026-1427-2	405532	Fixed
golang	c10f2	1.25.5-alt1	1.25.6-alt1	ALT-PU-2025-15286-2	401654	Fixed
golang	p11	1.25.5-alt1	1.25.5-alt1	ALT-PU-2025-15362-2	401653	Fixed
mimir	sisyphus	3.0.2-alt1	3.0.2-alt1	ALT-PU-2026-1171-2	404870	Fixed
mimir	sisyphus_riscv64	3.0.2-alt1	3.0.2-alt1	ALT-PU-2026-1194-1	-	Fixed
mimir	sisyphus_loongarch64	3.0.2-alt1	3.0.2-alt1	ALT-PU-2026-1199-1	-	Fixed
mimir	c10f2	3.0.2-alt1	3.0.2-alt1	ALT-PU-2026-1175-3	404903	Fixed
mimir	p11	3.0.2-alt1	3.0.2-alt1	ALT-PU-2026-1565-3	405801	Fixed
rclone	sisyphus	1.72.1-alt1	1.72.1-alt1	ALT-PU-2026-1106-2	404566	Fixed
rclone	sisyphus_riscv64	1.72.1-alt1	1.72.1-alt1	ALT-PU-2026-1120-1	-	Fixed
rclone	sisyphus_loongarch64	1.72.1-alt1	1.72.1-alt1	ALT-PU-2026-1129-1	-	Fixed
rclone	c10f2	1.72.1-alt1	1.72.1-alt1	ALT-PU-2026-1173-3	404891	Fixed
rclone	p11	1.72.1-alt1	1.72.1-alt1	ALT-PU-2026-1108-2	404567	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://go.dev/cl/725920	Patch
https://go.dev/issue/76445	Issue Tracking Patch
https://groups.google.com/g/golang-announce/c/8FJoBkPddm4	Mailing List Release Notes
https://pkg.go.dev/vuln/GO-2025-4155	Vendor Advisory
BDU:2025-16242

Affected configurations:
1. cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
  End excluding
  1.24.11
  cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
  Start including
  1.25.0
  End excluding
  1.25.5

Version: v25.10.0