CVE-2025-58189: 
cAdvisor 脆弱性の分析と軽減

CVE-2025-58189 is a security vulnerability discovered in the Go programming language's crypto/tls package, specifically affecting versions before Go 1.24.8 and from Go 1.25.0 before Go 1.25.2. The vulnerability was disclosed on October 29, 2025, and affects the ALPN (Application-Layer Protocol Negotiation) negotiation process. The issue occurs when Conn.Handshake fails during ALPN negotiation, where the error contains attacker-controlled information from the client-side that is not properly escaped (Golang Announce, Debian Security).

The vulnerability exists in the crypto/tls conn.Handshake method which returns an error on the server-side when ALPN negotiation fails. The error message contains arbitrary attacker-controlled information provided by the client-side of the connection without proper escaping. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Ubuntu Security).

The primary impact of this vulnerability affects programs that log these errors without additional sanitization, potentially allowing injection of attacker-controlled information into log files. This could lead to log injection attacks and potential information disclosure issues (Golang Announce).

The vulnerability has been fixed in Go versions 1.24.8 and 1.25.2. Users are advised to upgrade to these versions or later. The fix was implemented through commits 205d0865958a6d2342939f62dfeaf47508101976 (go1.25.2) and 2e1e356e33b9c792a9643749a7626a1789197bb9 (go1.24.8) (Debian Security).