CVE-2025-61724 Overview
CVE-2025-61724 affects the Go standard library's net/textproto package. The Reader.ReadResponse function builds a response string by repeatedly concatenating lines. When a response contains a large number of lines, this pattern causes excessive CPU consumption due to repeated allocations and copies.
The issue impacts Go applications that parse network protocol responses using net/textproto, including SMTP, NNTP, and HTTP-adjacent clients. A remote peer can send a crafted response with many lines to trigger algorithmic complexity behavior and degrade service availability.
Critical Impact
Remote, unauthenticated attackers can cause CPU exhaustion in Go services that call Reader.ReadResponse, leading to denial of service for affected applications.
Affected Products
- Golang Go (standard library net/textproto package)
- Applications and services linking against vulnerable Go versions
- Go-based clients parsing multi-line protocol responses (SMTP, NNTP, FTP-style)
Discovery Timeline
- 2025-10-08 - Vulnerability disclosed via Openwall OSS Security mailing list
- 2025-10-29 - CVE-2025-61724 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-61724
Vulnerability Analysis
The vulnerability stems from inefficient string construction in Reader.ReadResponse. The function reads protocol response lines and joins them through repeated concatenation. Each concatenation allocates a new string and copies prior content, producing quadratic time complexity relative to the number of lines.
The weakness maps to [CWE-770] Allocation of Resources Without Limits or Throttling. The Go vulnerability database tracks the issue as GO-2025-4015. Because net/textproto underpins higher-level protocol parsers in the standard library, the bug surfaces in any Go program that consumes textual protocol responses from untrusted peers.
Root Cause
The root cause is the use of += style string concatenation inside a per-line loop within ReadResponse. Strings in Go are immutable, so each append builds a new backing array. Processing N lines results in roughly N² byte copies and allocations, allowing a small response payload to consume disproportionate CPU time.
Attack Vector
An attacker controls a server or peer that the vulnerable Go client connects to, or returns crafted responses to a Go-based proxy or scanner. The attacker sends a multi-line response with a very large line count. The Go process spends excessive CPU cycles assembling the response string, reducing throughput for legitimate workloads.
No authentication or user interaction is required. The attack vector is network-based, and impact is limited to availability. See the Go Vulnerability Report GO-2025-4015 for technical details.
Detection Methods for CVE-2025-61724
Indicators of Compromise
- Sustained high CPU utilization in Go processes performing net/textproto operations without proportional network throughput
- Inbound connections from untrusted peers returning unusually long multi-line protocol responses
- Stack samples showing time concentrated in net/textproto.(*Reader).ReadResponse or string concatenation runtime functions
Detection Strategies
- Run govulncheck against Go binaries and source trees to identify use of vulnerable net/textproto symbols
- Inventory services that act as SMTP, NNTP, or similar clients written in Go and verify their toolchain version
- Profile production Go services with pprof and alert on CPU samples dominated by textproto response parsing
Monitoring Recommendations
- Track per-process CPU and goroutine counts for Go services exposed to external protocol responses
- Log peer-supplied response sizes and line counts at the application layer to surface anomalously large multi-line replies
- Correlate availability degradation events with network connections to or from untrusted endpoints
How to Mitigate CVE-2025-61724
Immediate Actions Required
- Upgrade Go to a patched release that includes the fix from Go change list 709859
- Rebuild and redeploy all Go binaries that depend on net/textproto, including transitive consumers
- Run govulncheck across CI pipelines and production artifacts to confirm the vulnerable symbol is no longer reachable
Patch Information
The fix is tracked in Go issue 75716 and landed via Go change list 709859. The patched implementation replaces repeated concatenation with a buffered builder, eliminating the quadratic behavior. Refer to the golang-announce notice and the Openwall advisory for release coordinates.
Workarounds
- Restrict Go-based clients to trusted upstream servers when patching is delayed
- Enforce application-layer limits on response size and line count before delegating to textproto parsing
- Place vulnerable services behind proxies or load balancers that cap response body length and connection duration
# Verify Go toolchain version and scan binaries for vulnerable symbols
go version
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
govulncheck -mode=binary /path/to/your-go-binary
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
