The Go programming language team has rolled out emergency point releases, Go 1.25.6 and 1.24.12, to address six high-impact security flaws.
These updates fix denial-of-service (DoS) vectors, arbitrary code execution risks, and TLS mishandlings that could expose developers to remote attacks.
While not branded as version 1.26, the patches urge immediate upgrades for projects relying on Go’s standard library, especially in web servers, crypto tools, and build systems.
Announced via official channels, the releases follow Go’s strict security policy, crediting external researchers for disclosures.
Binary downloads are available at go.dev/dl, with full notes at go.dev/doc/devel/release#go1.25.6. Attackers could exploit these in unpatched environments, from ZIP parsers to TLS handshakes.
Key Vulnerabilities and Exploit Paths
Among the fixes, net/http’s Request.ParseForm stands out for memory exhaustion. Malicious URL-encoded forms with excessive key-value pairs trigger outsized allocations, crippling servers under load. Similarly, archive/zip’s super-linear filename indexing invites DoS via crafted archives.
More severe are cmd/go flaws enabling code execution. CgoPkgConfig bypassed flag sanitization, running pkg-config with unsafe inputs. Toolchain VCS handling (Git/Mercurial) allowed malicious module versions or domains to execute code or overwrite files triggerable via custom go get paths, though not @latest.
TLS issues compound risks: Config.Clone leaked auto-generated session ticket keys, enabling unauthorized resumptions across configs.
Session checks ignored full certificate chain expirations, and handshake messages processed at the wrong encryption levels risked info leaks from injected packets.
CVE IDComponentDescription SummaryGo Issue LinkReporterCVE-2025-61728archive/zipSuper-linear filename indexing causes DoS on malicious ZIPsgo.dev/issue/77102Jakub CiolekCVE-2025-61726net/httpMemory exhaustion from excessive form key-value pairsgo.dev/issue/77101jub0bsCVE-2025-68121crypto/tlsConfig.Clone leaks session keys; ignores full cert chain expirationgo.dev/issue/77113Coia Prant (rbqvq)CVE-2025-61731cmd/goCgoPkgConfig flag bypass leads to arbitrary code executiongo.dev/issue/77100RyotaK (GMO Flatt Security)CVE-2025-68119cmd/goVCS toolchain misinterpretation enables code exec/file writesgo.dev/issue/77099splitline (DEVCORE)CVE-2025-61730crypto/tlsHandshake messages processed at incorrect encryption level (info disclosure)go.dev/issue/76443Coia Prant (rbqvq)
Upgrade and Mitigation Advice
Developers should pin to 1.25.6 or 1.24.12 immediately, rebuilding binaries via git checkout go1.25.6. Scan dependencies for vulnerable modules.
No CVSS scores are published yet, but DoS and RCE potentials rate high. Go’s proactive patching underscores supply-chain hygiene in 2026’s threat landscape.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Go 1.25.6 and 1.24.12 Patch Critical Vulnerabilities Lead to DoS and Memory Exhaustion Risks appeared first on Cyber Security News.
