Wiz
Base de données de vulnérabilitésCVE-2025-61725

CVE-2025-61725
cAdvisor Analyse et atténuation des vulnérabilités

Aperçu

CVE-2025-61725 is a security vulnerability in Go's net/mail package, specifically affecting the ParseAddress function. The vulnerability was discovered by Philippe Antoine from Catena cyber and was publicly disclosed on October 7, 2025, with fixes released in Go versions 1.25.2 and 1.24.8. The issue affects multiple versions of Go, including versions before 1.24.8 and from 1.25.0 before 1.25.2 (Golang Announce, Go Packages).

Détails techniques

The vulnerability stems from the ParseAddress function's implementation, which constructs domain-literal address components through repeated string concatenation. This design flaw can lead to excessive CPU consumption when parsing large domain-literal components. The issue affects multiple functions in the net/mail package, including AddressParser.Parse, Parser.ParseList, Header.AddressList, ParseAddress, and ParseAddressList. The vulnerability has been assigned a CVSS 3.1 score of 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Ubuntu Security).

Impact

The primary impact of this vulnerability is the potential for denial of service attacks through excessive CPU consumption. When processing large domain-literal components, the affected systems can experience significant performance degradation due to the inefficient string concatenation operations. This vulnerability particularly affects applications that process untrusted email addresses or handle large volumes of email address parsing operations (Debian Security).

Atténuation et solutions de contournement

The vulnerability has been fixed in Go versions 1.24.8 and 1.25.2. Users are strongly advised to upgrade to these patched versions. For Debian-based systems, fixed versions are available in golang-1.24 (1.24.8-1) and golang-1.25 (1.25.2-1). Ubuntu has also released updates for affected versions across multiple releases. Organizations using affected versions should prioritize updating their Go installations to the patched versions (Golang Announce, Debian Security).

Ressources additionnelles

SourceCe rapport a été généré à l’aide de l’IA

Apparenté cAdvisor Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2025-61725HIGH7.5
  • cAdvisorcAdvisor
  • kubeflow
NonOuiOct 29, 2025
CVE-2025-61723HIGH7.5
  • cAdvisorcAdvisor
  • containerd-debuginfo
NonOuiOct 29, 2025
CVE-2025-58188HIGH7.5
  • cAdvisorcAdvisor
  • argo-rollouts
NonOuiOct 29, 2025
CVE-2025-61724MEDIUM5.3
  • cAdvisorcAdvisor
  • boring-registry-fips
NonOuiOct 29, 2025
CVE-2025-58189MEDIUM5.3
  • cAdvisorcAdvisor
  • cloud-provider-azure-fips-1.29
NonOuiOct 29, 2025

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Ressources Wiz supplémentaires

PEACH

PEACH

Un cadre d’isolation des locataires

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités
Demander une démo