CVE-2025-61730

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://go.dev/cl/724120	Patch
https://go.dev/issue/76443	Patch
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc	Release Notes
https://pkg.go.dev/vuln/GO-2026-4340	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

History

No history.

Information

Published : 2026-01-28 20:16

Updated : 2026-02-03 20:36

NVD link : CVE-2025-61730

Mitre link : CVE-2025-61730

CVE.ORG link : CVE-2025-61730

JSON object : View

Products Affected

golang

go

CWE

NVD-CWE-noinfo

{"id": "CVE-2025-61730", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-01-28T20:16:09.940", "references": [{"url": "https://go.dev/cl/724120", "tags": ["Patch"], "source": "security@golang.org"}, {"url": "https://go.dev/issue/76443", "tags": ["Patch"], "source": "security@golang.org"}, {"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc", "tags": ["Release Notes"], "source": "security@golang.org"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4340", "tags": ["Vendor Advisory"], "source": "security@golang.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake."}, {"lang": "es", "value": "Durante el handshake de TLS 1.3, si se env\u00edan m\u00faltiples mensajes en registros que cruzan los l\u00edmites del nivel de cifrado (por ejemplo, los mensajes Client Hello y Encrypted Extensions), los mensajes subsiguientes pueden ser procesados antes de que cambie el nivel de cifrado. Esto puede causar una revelaci\u00f3n de informaci\u00f3n menor si un atacante local de red puede inyectar mensajes durante el handshake."}], "lastModified": "2026-02-03T20:36:41.300", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21FD9368-8AB3-404B-8599-BBF64EFE3C7B", "versionEndExcluding": "1.24.12"}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A547E844-78D2-4B17-B7A9-73E7B503D2CE", "versionEndExcluding": "1.25.6", "versionStartIncluding": "1.25.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@golang.org"}