CVE-2025-61725: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-61725 is a security vulnerability affecting the Go programming language's net/mail package. The vulnerability was discovered by Philippe Antoine (Catena cyber) and was publicly disclosed on October 7, 2025. The issue affects multiple versions of Go and was fixed in versions 1.25.2 and 1.24.8. The vulnerability specifically impacts the ParseAddress function in the net/mail package (Golang Announce).

The vulnerability exists in the ParseAddress function of the net/mail package, which constructed domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this implementation could cause excessive CPU consumption, potentially leading to a denial of service condition. The issue was assigned a medium priority rating by Ubuntu security team (Ubuntu Security).

When exploited, this vulnerability can cause excessive CPU consumption in applications that process email addresses using Go's net/mail package. This could potentially lead to denial of service conditions in affected systems, particularly when processing large domain-literal components (Golang Announce).

The vulnerability has been fixed in Go versions 1.25.2 and 1.24.8. Users are advised to upgrade to these versions or later. The fix can be obtained by downloading binary and source distributions from the Go website or by using git checkout go1.25.2 for source compilation (Golang Announce).