CVE-2025-58189

Опубликовано: 29 окт. 2025

Источник: debian

EPSS Низкий

Описание

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

Пакеты

Пакет	Статус	Версия исправления	Релиз	Тип
golang-1.25	fixed	1.25.2-1		package
golang-1.24	fixed	1.24.8-1		package
golang-1.24	no-dsa		trixie	package
golang-1.23	removed			package
golang-1.19	removed			package
golang-1.19	no-dsa		bookworm	package
golang-1.15	removed			package
golang-1.15	postponed		bullseye	package

Примечания

https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
https://github.com/golang/go/issues/75652
https://github.com/golang/go/commit/205d0865958a6d2342939f62dfeaf47508101976 (go1.25.2)
https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9 (go1.24.8)

EPSS

Процентиль: 4%

0.0002

Низкий

Связанные уязвимости

CVE-2025-58189

CVSS3: 5.3

ubuntu

3 месяца назад

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

CVE-2025-58189

CVSS3: 5.3

nvd

3 месяца назад

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

CVE-2025-58189

msrc

3 месяца назад

ALPN negotiation error contains attacker controlled information in crypto/tls

GHSA-cxq7-xw9v-rcv3

CVSS3: 5.3

github

3 месяца назад

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

BDU:2025-14526

CVSS3: 5.3

fstec

3 месяца назад

Уязвимость компонента crypto/tls языка программирования Go, позволяющая нарушителю раскрыть защищаемую информацию

EPSS

Процентиль: 4%

0.0002

Низкий