CVE-2025-61723: 
cAdvisor 脆弱性の分析と軽減

CVE-2025-61723 is a vulnerability discovered in Go programming language that affects the encoding/pem package. The vulnerability was disclosed on October 29, 2025, and affects programs which parse untrusted PEM inputs. The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input, making it a potential security concern for applications handling PEM data (Go Project, NVD).

The vulnerability stems from the design of the PEM parsing function, where the processing time exhibits quadratic complexity for certain invalid inputs. The issue has been assigned a CVSS 3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that it can be exploited remotely without requiring privileges or user interaction (CISA-ADP).

The vulnerability primarily affects the availability of systems processing PEM inputs. When exploited, it can cause excessive CPU consumption due to the non-linear scaling of processing time, potentially leading to denial of service conditions. The CVSS scoring indicates no impact on confidentiality or integrity, but a high impact on availability (Rapid7).

The vulnerability has been fixed in Go versions 1.24.8 and 1.25.2. Users are advised to upgrade to these patched versions to address the security issue. The fix was implemented through commits 74d4d836b91318a8764b94bc2b4b66ff599eb5f2 (go1.24.8) and 90f72bd5001d0278949fab0b7a40f7d8c712979b (go1.25.2) (OSS Security).