CVE-2025-61723 Overview
CVE-2025-61723 is a Denial of Service vulnerability affecting Golang Go that stems from non-linear processing time when parsing certain invalid PEM inputs. This algorithmic complexity attack enables remote attackers to cause resource exhaustion by submitting specially crafted PEM data to applications that parse untrusted input.
Critical Impact
Applications parsing untrusted PEM inputs may become unresponsive or crash when processing maliciously crafted data, leading to service disruption.
Affected Products
- Golang Go (various versions)
Discovery Timeline
- 2025-10-29 - CVE CVE-2025-61723 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-61723
Vulnerability Analysis
This vulnerability falls under CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue lies in how Go's PEM parsing implementation handles certain malformed inputs. When processing invalid PEM data, the parsing algorithm exhibits non-linear time complexity relative to input size. This means that as the size of the malicious input increases, the processing time grows disproportionately, potentially causing extended CPU consumption and service unavailability.
The vulnerability affects any Go application that accepts and parses PEM-encoded data from untrusted sources, such as certificate handling services, TLS termination proxies, or authentication systems that process client certificates.
Root Cause
The root cause is an algorithmic complexity flaw in the PEM parsing logic. When encountering specific patterns of invalid input, the parser enters a processing loop that scales non-linearly with input size. This represents a classic algorithmic complexity attack vector where an attacker can consume disproportionate server resources with relatively small but carefully constructed payloads.
Attack Vector
The vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can target any network-exposed service that parses PEM data from untrusted sources. The attack works by submitting malformed PEM input that triggers the non-linear parsing behavior.
Attack scenarios include:
- Sending crafted PEM data to TLS certificate validation endpoints
- Submitting malicious certificate signing requests (CSRs)
- Targeting authentication services that parse client-provided certificates
- Exploiting API endpoints that accept PEM-encoded cryptographic material
Since no exploit code is currently available in public repositories and no proof-of-concept has been published, the specific input patterns required to trigger this behavior are not publicly documented. For technical details, refer to the Go.dev Issue Tracker Report.
Detection Methods for CVE-2025-61723
Indicators of Compromise
- Abnormally high CPU utilization in Go services that process PEM data
- Extended request processing times for endpoints accepting PEM input
- Service timeouts or unresponsiveness when handling certificate-related operations
- Spike in resource consumption without corresponding increase in legitimate traffic
Detection Strategies
- Monitor CPU usage patterns on services parsing PEM data for sudden spikes or sustained high utilization
- Implement application-level logging to track PEM parsing operation durations
- Deploy anomaly detection for request processing times on certificate handling endpoints
- Configure alerting for Go runtime metrics indicating processing bottlenecks
Monitoring Recommendations
- Enable request timeout monitoring for PEM parsing operations
- Track memory and CPU metrics at the application container or process level
- Implement distributed tracing to identify slow PEM parsing calls
- Monitor error rates and timeout frequencies on certificate processing endpoints
How to Mitigate CVE-2025-61723
Immediate Actions Required
- Update Golang Go to a patched version as indicated in the vendor advisory
- Implement input size limits on PEM data accepted from untrusted sources
- Add request timeouts for PEM parsing operations to prevent resource exhaustion
- Review applications to identify all instances where untrusted PEM data is processed
Patch Information
The Go team has released a fix addressing this algorithmic complexity issue. The patch is available via Go.dev Change Log Entry. Detailed vulnerability information can be found in the Go.dev Vulnerability Report. The Google Groups Announcement provides additional context on affected versions and upgrade guidance.
Workarounds
- Implement strict input validation and size limits on PEM data before parsing
- Add processing timeouts to terminate PEM parsing operations that exceed expected duration
- Deploy rate limiting on endpoints that accept PEM input from untrusted sources
- Consider using a reverse proxy to filter and validate PEM input before it reaches the Go application
- Isolate PEM parsing operations in separate goroutines with timeout controls
# Configuration example for input size limits and timeouts
# Add to application configuration or reverse proxy
# Example: Limit PEM input size in nginx proxy
client_max_body_size 64k;
# Example: Set timeout for upstream PEM processing
proxy_read_timeout 30s;
proxy_connect_timeout 10s;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
