CVE-2025-61730

Published: Jan 28, 2026

Modified: Feb 2, 2026

PUBLISHED

Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Vendor	Product	Versions
Go standard library	crypto/tls	affected `0 - < 1.24.12` affected `1.25.0 - < 1.25.6`

References

https://go.dev/cl/724120

https://go.dev/issue/76443

https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

https://pkg.go.dev/vuln/GO-2026-4340

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-61730

Description

Affected Products

References