Jakub Ciolek

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.25-1.25.11-1.1 Go versions prior to 1.26-1.26.4-1.1 **Description** Inefficient candidate hostname parsing occurs in the `crypto/x509` package. The `(*x509.Certificate).VerifyHostname` function previously called `matchHostnames()` in a loop over all DNS Subject Alternative Name (SAN) entries, causing `strings.Split(host, ".")` to execute repeatedly on the same input hostname. When a large DNS SAN list is present, verification costs scale quadratically based on the number of SAN entries multiplied by the hostname's label count. This overhead occurs even for untrusted certificates because `x509.Verify` validates hostnames before building the certificate chain. **Recommendations** Update to version 1.25-1.25.11-1.1. Update to version 1.26-1.26.4-1.1.

Name of the Vulnerable Software and Affected Versions tar.Reader (affected versions not specified) Description tar.Reader can allocate an unbounded amount of memory when processing a specially crafted archive containing numerous sparse regions encoded using the "old GNU sparse map" format. This can lead to excessive memory consumption and potentially cause a denial-of-service condition. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AWS Lambda (affected versions not specified) **Description** A flaw exists in AWS Lambda base images utilizing stdlib. Specifically, when validating a certificate chain with multiple email address constraints that share common local portions but differ in domain portions, the constraints are not correctly applied. Only the last constraint in the chain is considered during verification. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AWS Lambda (affected versions not specified) **Description** A flaw exists where certificate verification can lead to a program crash. This occurs when a certificate within a chain lacks a DNS name while another certificate in the same chain has excluded name constraints. This issue impacts programs directly verifying X.509 certificate chains or those utilizing TLS. The issue affects 27 Lambda base images using stdlib. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SSH Agent (affected versions not specified) **Description** SSH Agent servers do not properly check the size of messages when handling new identity requests. This can lead to a program crash, specifically a panic, if a deliberately crafted, malformed message causes an out-of-bounds read. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SSH servers (affected versions not specified) **Description** SSH servers that process GSSAPI authentication requests are susceptible to an issue where the number of mechanisms included in the request is not validated. This can lead to excessive memory usage, potentially causing a denial-of-service condition. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SSH clients (affected versions not specified) **Description** SSH clients may experience a panic and premature termination of the client process when receiving an SSH AGENT SUCCESS response while expecting a typed response. This can lead to disruptions in SSH sessions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** golang.org/x/net/html (affected versions not specified) **Description** The `html.Parse` function exhibits quadratic parsing complexity when handling specific inputs. This can result in a denial of service (DoS) if an attacker submits maliciously crafted HTML content. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** golang versions 1.15 golang versions 1.19 **Description** The software experiences quadratic complexity during the parsing of certain invalid inputs when handling PEM encoded data. This can lead to performance issues. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.24.9-alt1 Gobuster version 3.8.2 complyctl (affected versions not specified) containernetworking-plugins version 1.9.0 OpenTofu (affected versions not specified) **Description** The Go programming language contains a flaw in the `crypto/x509` component where validating certificate chains with DSA public keys can lead to a program panic due to an incorrect interface cast. This occurs because the code expects DSA public keys to implement the `Equal` method. Exploitation of this issue by a remote attacker can result in a denial-of-service condition. Additionally, OpenTofu is affected by a denial-of-service issue in the "tofu init" function when processing maliciously crafted module package responses. Fedora has released updates for containernetworking-plugins, Gobuster, and complyctl to address security vulnerabilities, including CVE-2025-58188. **Recommendations** Update Go to version 1.24.9-alt1 or later. Update Gobuster to version 3.8.2. Apply the latest security updates for complyctl. Update containernetworking-plugins to version 1.9.0. Apply the latest security updates for OpenTofu.

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.24.12 Go versions prior to 1.25.6 **Description** The Go programming language contains a flaw in the archive/zip functionality that can lead to denial-of-service. Specifically, crafted ZIP files can trigger super-linear processing and excessive consumption of memory and CPU resources when opened, potentially causing a disruption of service. This issue affects backend services and build pipelines that automatically parse ZIP content. **Recommendations** Update to Go version 1.24.12 or later. Update to Go version 1.25.6 or later.

**Name of the Vulnerable Software and Affected Versions** golang versions 1.15 golang versions 1.19 **Description** The software exhibits quadratic complexity when checking name constraints in X.509 certificate validation. This can lead to performance issues during certificate verification. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** golang versions 1.15 golang versions 1.19 **Description** The `Reader.ReadResponse` function in the `net/textproto` package experiences excessive CPU consumption. **Recommendations** Update to a newer version of golang that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.24.9-alt1 OpenTofu versions <=2.10.0 **Description** The issue is a memory exhaustion flaw in the encoding/asn1 package of the Go programming language. The code pre-allocates memory based on fields within a DER structure before fully validating the correctness or content of those fields. Processing a maliciously crafted DER payload can lead to excessive memory allocation, potentially causing a denial-of-service condition. The vulnerability also affects OpenTofu, causing a denial of service in the `tofu init` function when processing maliciously crafted module package responses. **Recommendations** Go versions prior to 1.24.9-alt1: Upgrade to version 1.24.9-alt1 or later. OpenTofu versions <=2.10.0: Update to a version greater than 2.10.0.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 2.4 through 2.10.2 Argo CD versions 2.4 through 2.9.7 Argo CD versions 2.4 through 2.8.11 **Description** The issue is related to the `loadRepoIndex()` function in Argo CD's helm package, which does not limit the size or time while fetching data from a Helm registry. This can lead to a Denial-of-Service attack vector, where the repo server component can be crashed through an out of memory error by pointing it to a malicious Helm registry. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it. **Recommendations** For versions 2.4 through 2.10.2, update to version 2.10.3 or later. For versions 2.4 through 2.9.7, update to version 2.9.8 or later. For versions 2.4 through 2.8.11, update to version 2.8.12 or later. As a temporary workaround, consider restricting access to the vulnerable `loadRepoIndex()` function in the Argo CD's helm package until a patch is available.