CVE-2025-61725: 
cAdvisor vulnerability analysis and mitigation

CVE-2025-61725 is a security vulnerability discovered in Go's net/mail package, specifically affecting the ParseAddress function. The vulnerability was discovered by Philippe Antoine (Catena cyber) and was publicly disclosed on October 29, 2025. The issue affects multiple versions of Go, including versions before 1.24.8 and from 1.25.0 before 1.25.2 (Go Project, NVD).

The vulnerability stems from the ParseAddress function's implementation, which constructs domain-literal address components through repeated string concatenation. This design flaw can lead to excessive CPU consumption when parsing large domain-literal components. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The primary impact of this vulnerability is on system availability. When processing large domain-literal components, the affected function can cause excessive CPU consumption, potentially leading to denial of service conditions. This affects any applications that use the Go net/mail package for parsing email addresses (Go Project).

The vulnerability has been fixed in Go versions 1.24.8 and 1.25.2. Users are advised to upgrade to these patched versions. The fix was implemented through code changes that address the string concatenation issue in the ParseAddress function (Go Project).

The Go team promptly addressed the vulnerability as part of a security release that included fixes for multiple security issues. The vulnerability was treated as a high-priority security issue, as evidenced by its inclusion in a dedicated security release (Go Project).