Skip to content

fix: upgrade Go from 1.25.5 to 1.25.6 to patch CVE-2025-61726, CVE-2025-61728, CVE-2025-61730 #1992

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
shibd merged 1 commit into from
Feb 3, 2026
Merged

fix: upgrade Go from 1.25.5 to 1.25.6 to patch CVE-2025-61726, CVE-2025-61728, CVE-2025-61730 #1992

shibd merged 1 commit into from
Feb 3, 2026

Conversation

@shibd
Copy link
Member

@shibd shibd commented Feb 3, 2026

Summary

Upgrade Go version from 1.25.5 to 1.25.6 to fix multiple CVEs in the standard library.

CVE Details

CVE ID Severity Description
CVE-2025-61726 HIGH net/url package doesn't set a limit on query parameters (DoS)
CVE-2025-61728 HIGH archive/zip uses super-linear file name indexing (DoS)
CVE-2025-61730 MEDIUM TLS 1.3 handshake boundary issue (Information Disclosure)

How the CVE Was Introduced

The project was built with Go 1.25.5, which contains these vulnerabilities in the standard library:

  • net/url.ParseForm: No limit on query parameters can lead to excessive memory consumption
  • archive/zip: Super-linear file name indexing algorithm can cause DoS
  • crypto/tls: Messages processed before encryption level changes can leak information

Why This Fix Resolves the CVE

Go 1.25.6 includes fixes for all three CVEs:

  • Limits query parameter count to prevent DoS via URL parsing
  • Uses improved file name indexing algorithm in archive/zip
  • Properly handles TLS 1.3 encryption level boundaries

Verification

  • go build - build successful
  • Go version confirmed as 1.25.6
  • No dependency conflicts

References

Closes #3845

@shibd
fix: upgrade Go from 1.25.5 to 1.25.6 to patch CVE-2025-61726, CVE-20…
3fc75ad 
…25-61728, CVE-2025-61730

Upgrade Go version from 1.25.5 to 1.25.6 to fix multiple CVEs in the standard library:

- CVE-2025-61726: net/url package doesn't set a limit on query parameters (DoS)
- CVE-2025-61728: archive/zip uses super-linear file name indexing (DoS)
- CVE-2025-61730: TLS 1.3 handshake boundary issue (Information Disclosure)

Verification: go build completed successfully
@github-actions
Copy link

github-actions bot commented Feb 3, 2026

@shibd:Thanks for your contribution. For this PR, do we need to update docs?
(The PR template contains info about doc, which helps others know more about the changes. Can you provide doc-related info in this and future PR descriptions? Thanks)

@github-actions github-actions bot added the doc-info-missing This pr needs to mark a document option in description label Feb 3, 2026
@shibd shibd merged commit b294ba4 into master Feb 3, 2026
11 checks passed
@shibd shibd deleted the fix/cve-2025-61726-61728-61730 branch February 3, 2026 10:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zymap zymap zymap approved these changes

@mattisonchao mattisonchao Awaiting requested review from mattisonchao mattisonchao is a code owner

@nlu90 nlu90 Awaiting requested review from nlu90 nlu90 is a code owner

Assignees

@shibd shibd

Labels

doc-info-missing This pr needs to mark a document option in description

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shibd @zymap