CVE-2025-58189: 
Linux Debian vulnerability analysis and mitigation

The CVE-2025-58189 is a security vulnerability affecting Go programming language versions prior to 1.25.2 and 1.24.8. The vulnerability exists in the crypto/tls package, specifically in the conn.Handshake method, where ALPN (Application-Layer Protocol Negotiation) negotiation errors can contain arbitrary text. The vulnerability was discovered and reported by the National Cyber Security Centre Finland and was patched in October 2025 (Go Announce).

The vulnerability occurs when the crypto/tls conn.Handshake method returns an error on the server-side during ALPN negotiation failure. The error message can contain arbitrary attacker-controlled information provided by the client-side of the connection, which is not properly escaped. This affects programs that log these errors without additional sanitization measures (Go Issue, Go Announce).

The primary impact of this vulnerability is the potential injection of attacker-controlled information into system logs. Programs that log these errors without implementing additional sanitization measures are particularly vulnerable. While the impact is relatively limited due to most logging software filtering control characters, it still presents a security risk for affected systems (Go Issue).

The vulnerability has been fixed in Go versions 1.25.2 and 1.24.8. Users are strongly advised to upgrade to these versions or later. For those unable to upgrade immediately, implementing additional log sanitization measures for TLS-related error messages can help mitigate the risk (Go Announce).