CVE-2025-61730

MEDIUM5.3EPSS 0.01%

Handshake messages may be processed at the incorrect encryption level in crypto/tls

發布日:2026/1/28修改日:2026/5/15

描述

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

受影響套件(6)

Bitnami/golangfrom 0, < 1.24.12, >= 1.25.0, < 1.25.6
Debian/golang-1.15from 0
Debian/golang-1.19from 0
Debian/golang-1.24from 0
Debian/golang-1.25from 0, < 1.25.6-1
Go/stdlibfrom 0, < 1.24.12, >= 1.25.0, < 1.25.6

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

參考連結(6)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-61730
PATCHhttps://go.dev/cl/724120
REPORThttps://go.dev/issue/76443
WEBhttps://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2025-61730
WEBhttps://pkg.go.dev/vuln/GO-2026-4340