We may earn from vendors via affiliate links or sponsorships. This might affect product placement on our site, but not the content of our reviews. See our Terms of Use for details. The patched issues span core standard library components including archive/zip and net/http, as well as security-sensitive areas of the crypto/tls stack. Image generated by Google Gemini The Go programming language team has issued security updates for Go 1.25.6 and Go 1.24.12 to address six vulnerabilities. These issues range from denial-of-service attacks and memory exhaustion to toolchain flaws that could enable arbitrary code execution in certain developer environments. The patched issues span core standard library components including archive/zip and net/http, as well as security-sensitive areas of the crypto/tls stack. Two of the most serious weaknesses affect the Go toolchain itself, where crafted inputs could lead to command execution when building or fetching dependencies under specific conditions. The releases follow Go’s PRIVATE track security policy, a process used when vulnerabilities violate committed security properties and require coordination prior to disclosure. Under this model, fixes are delivered through scheduled minor releases rather than out-of-band patches, giving enterprises and downstream maintainers a clear upgrade path while still allowing time for responsible reporting and remediation. Memory exhaustion and DoS issues highlight service exposure risk Two of the six vulnerabilities involve memory exhaustion or computational exhaustion that attackers could exploit to knock systems offline. While these bugs do not directly grant unauthorized access, they can have significant impact in production settings where Go-based services handle untrusted input at scale. The most severe denial-of-service vulnerability is tied to the archive/zip package. Tracked as CVE-2025-61728, the flaw stems from a super-linear file name indexing algorithm that triggers when opening files inside ZIP archives. In practical terms, attackers can craft malicious ZIP files engineered to consume disproportionate CPU resources during indexing. If a Go service automatically processes ZIP uploads or scans archives as part of workflows such as document ingestion, CI pipelines, malware scanning, or content extraction, the issue could be used to exhaust compute resources and disrupt availability. Security researcher Jakub Ciolek discovered CVE-2025-61728, and the problem has been resolved in the newly released versions. A second denial-of-service weakness, CVE-2025-61726, affects net/http’s Request parseForm function. The risk comes from how Go parses URL-encoded forms containing a very large number of key-value pairs. Under these conditions, the parser can allocate excessive memory, potentially leading to memory exhaustion and process instability or termination. This vulnerability was reported by researcher jub0bs. The implications are especially important for internet-facing applications that accept large POST requests, process form submissions from untrusted sources, or expose endpoints that can be hit repeatedly by automated traffic. Even if upstream infrastructure includes rate limiting, an attacker may be able to trigger outsized memory pressure with fewer requests than expected, increasing the chance of service disruption. TLS vulnerabilities affect session security assumptions Three vulnerabilities patched in the crypto/tls module focus on session handling and handshake behavior, areas that can affect confidentiality, authentication strength, and the reliability of security guarantees in long-running applications. CVE-2025-68121 addresses an issue where Config.Clone improperly copies automatically generated session ticket keys, potentially allowing unauthorized session resumption. Session tickets are designed to let clients resume previous TLS sessions efficiently, reducing connection overhead. If ticket key handling is flawed, attackers could potentially take advantage of unintended key reuse or sharing behaviors to resume sessions they should not have access to. The same researcher, Coia Prant, also reported another server-side TLS issue where only the leaf certificate’s expiration was checked during session resumption, while expired intermediate or root certificates were not properly evaluated. In environments with strict certificate lifecycle controls, this type of gap can create confusing edge cases where sessions remain valid longer than intended, weakening policy enforcement and increasing exposure if trust chains are not being properly refreshed. A third TLS-related vulnerability, CVE-2025-61730, is tied to encryption-level handling during handshakes. The flaw allowed handshake messages to be processed at incorrect encryption levels when multiple messages span encryption boundaries, potentially exposing information to attackers with network-local visibility. In real-world terms, the highest risk is likely in shared networks,