CVE-2025-61728

CVSS v3.1

6.5

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.24.12 Go versions prior to 1.25.6

Description The Go programming language contains a flaw in the archive/zip functionality that can lead to denial-of-service. Specifically, crafted ZIP files can trigger super-linear processing and excessive consumption of memory and CPU resources when opened, potentially causing a disruption of service. This issue affects backend services and build pipelines that automatically parse ZIP content.

Recommendations Update to Go version 1.24.12 or later. Update to Go version 1.25.6 or later.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

ALSA-2026:2706

ALSA-2026:2708

ALSA-2026:2709

ALSA-2026:2914

ALSA-2026:2920

ALSA-2026:3188

ALSA-2026:3336

ALSA-2026:3337

ALSA-2026:3752

ALSA-2026:3753

BIT-GOLANG-2025-61728

CLEANSTART-2026-RD09851

CLEANSTART-2026-UK11127

CLEANSTART-2026-WK32717

CVE-2025-61728

ECHO-DCEE-75BC-CD88

GO-2026-4342

MGASA-2026-0035

OPENSUSE-SU-2026:10329-1

RHSA-2026:2706

RHSA-2026:2708

RHSA-2026:2709

RHSA-2026:2914

RHSA-2026:2920

RHSA-2026:3188

RHSA-2026:3192

RHSA-2026:3193

RHSA-2026:3336

RHSA-2026:3337

RHSA-2026:3469

RHSA-2026:3471

RHSA-2026:3472

RHSA-2026:3473

RHSA-2026:3489

RHSA-2026:3752

RHSA-2026:3753

RHSA-2026:3831

RHSA-2026:3833

RHSA-2026:3835

RHSA-2026:3836

RHSA-2026:3838

RHSA-2026:3851

RHSA-2026:3854

RHSA-2026:3880

SUSE-SU-2026:0297-1

SUSE-SU-2026:0298-1

SUSE-SU-2026:0308-1

Affected Products

Red Os

Rocky Linux

CVE-2025-61728

Weakness Enumeration

Related Identifiers

Affected Products

References · 166