References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Known Affected Software Configurations Switch to CPE 2.2

Change History

CWE-532

OR
          *cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* versions up to (excluding) 1.24.8
          *cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* versions from (including) 1.25.0 up to (excluding) 1.25.2

CVE: http://www.openwall.com/lists/oss-security/2025/10/08/1 Types: Mailing List, Release Notes, Third Party Advisory

Go Project: https://go.dev/cl/707776 Types: Patch

Go Project: https://go.dev/issue/75652 Types: Issue Tracking

Go Project: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI Types: Mailing List, Release Notes

Go Project: https://pkg.go.dev/vuln/GO-2025-4008 Types: Vendor Advisory

http://www.openwall.com/lists/oss-security/2025/10/08/1

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

https://go.dev/cl/707776

https://go.dev/issue/75652

https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI

https://pkg.go.dev/vuln/GO-2025-4008