CVE-2025-58185: 
cAdvisor vulnerability analysis and mitigation

CVE-2025-58185 is a vulnerability discovered in the Go programming language's encoding/asn1 package. The vulnerability was disclosed on October 29, 2025, affecting Go versions before 1.24.8 and from 1.25.0 before 1.25.2. When parsing DER payloads, memories were being allocated prior to fully validating the payloads, which could lead to memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse (Go Project, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The issue stems from the pre-allocation of memory when parsing DER (Distinguished Encoding Rules) payloads before complete payload validation. This design flaw allows attackers to craft large empty DER payloads that can trigger excessive memory allocation (CISA-ADP, Ubuntu).

The vulnerability can lead to memory exhaustion in systems processing DER payloads through affected functions. This primarily affects applications that use the encoding/asn1 package for parsing untrusted DER inputs, potentially causing denial of service conditions through resource exhaustion (Go Project).

The vulnerability has been fixed in Go versions 1.24.8 and 1.25.2. Users are advised to upgrade to these patched versions. The fix involves proper validation of DER payloads before memory allocation (Go Project).

The vulnerability was responsibly disclosed and reported by security researcher Jakub Ciolek. The Go team promptly addressed the issue by releasing security updates in versions 1.24.8 and 1.25.2 (Go Project).