CVE-2025-68121 Overview
CVE-2025-68121 is a certificate validation bypass vulnerability in Golang's crypto/tls package that affects session resumption behavior. During TLS session resumption, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed.
This vulnerability manifests when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. The flaw can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
Critical Impact
This vulnerability allows TLS sessions to be resumed with untrusted or revoked certificates, potentially enabling man-in-the-middle attacks, unauthorized authentication, and complete bypass of certificate-based trust validation in Go applications.
Affected Products
- Golang Go (multiple versions)
- Golang Go 1.26.0-rc1
- Golang Go 1.26.0-rc2
Discovery Timeline
- 2026-02-05 - CVE CVE-2025-68121 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2025-68121
Vulnerability Analysis
This vulnerability represents a critical flaw in the TLS session resumption logic within Go's crypto/tls package. The core issue lies in how certificate authority (CA) configurations are validated during session resumption compared to initial handshakes.
When a TLS session is initially established, the ClientCAs and RootCAs fields in the Config structure determine which certificate authorities are trusted. However, during session resumption, the implementation fails to re-validate these trust anchors against the current configuration state. This creates a window where configuration changes—such as removing a compromised CA or updating trust policies—are not enforced for resumed sessions.
The vulnerability is particularly dangerous because it affects both client and server implementations. A client could resume a session with a server whose certificate is no longer trusted, while a server could accept a resumed session from a client whose certificate authority has been revoked from the trust store.
Root Cause
The root cause is improper certificate validation (CWE-295) during TLS session resumption in Go's crypto/tls package. The implementation caches session state from the initial handshake but does not properly re-validate the certificate chain against the potentially modified ClientCAs or RootCAs fields when a session is resumed. This occurs specifically when:
- Config.Clone() is called and the cloned configuration is mutated
- Config.GetConfigForClient returns a configuration with modified CA fields
The session ticket or session cache retains the trust relationship from the original handshake, bypassing the updated security constraints in the modified configuration.
Attack Vector
The attack vector is network-based and requires no user interaction or special privileges. An attacker could exploit this vulnerability in several scenarios:
Certificate Revocation Bypass: If an organization revokes trust in a compromised CA after initial sessions are established, attackers with certificates from that CA can continue to authenticate via session resumption.
Trust Policy Circumvention: Applications that dynamically adjust trust based on context (using GetConfigForClient) may have their security policies bypassed when sessions are resumed.
Man-in-the-Middle Escalation: An attacker who previously established a legitimate session could maintain access even after their certificate authority is removed from the trust store.
The vulnerability does not require sophisticated exploitation techniques—the attack succeeds simply by resuming a previously established TLS session after the server or client has updated its CA trust configuration.
Detection Methods for CVE-2025-68121
Indicators of Compromise
- TLS session resumptions occurring with certificates issued by CAs that have been removed from ClientCAs or RootCAs configurations
- Unexpected successful TLS connections after CA trust policy updates
- Session tickets or cached sessions persisting across configuration changes in Go applications
- Log entries showing resumed sessions with certificates that should fail validation
Detection Strategies
- Review Go application code for patterns where Config.Clone() is called followed by mutations to ClientCAs or RootCAs fields
- Audit usage of Config.GetConfigForClient callback functions that modify CA trust settings
- Implement TLS connection logging to track session resumption events and correlate with CA configuration changes
- Use static analysis tools to identify vulnerable patterns in Go codebases using crypto/tls
Monitoring Recommendations
- Enable detailed TLS handshake logging in Go applications to capture session resumption events
- Monitor for connections that bypass expected certificate validation after CA trust updates
- Implement alerting on session resumption events following configuration changes to CA trust stores
- Consider adding session ticket/cache invalidation events to application monitoring dashboards
How to Mitigate CVE-2025-68121
Immediate Actions Required
- Update Golang to a patched version as soon as available
- Review all Go applications using crypto/tls for dynamic CA configuration patterns
- Invalidate existing TLS session caches and tickets after applying patches
- Disable TLS session resumption temporarily in critical applications if patching is delayed
- Audit applications using Config.Clone() or Config.GetConfigForClient with CA modifications
Patch Information
Golang has released a patch to address this vulnerability. The fix is available through Go.dev CL #737700. Technical details about the vulnerability are documented in the Go.dev Vulnerability Database entry GO-2026-4337. Additional information can be found in Go.dev Issue #77217 and the Golang Announce mailing list post.
Organizations should update their Go installations to the latest patched versions and rebuild affected applications.
Workarounds
- Disable TLS session resumption by setting SessionTicketsDisabled: true in tls.Config until patching is possible
- Avoid mutating ClientCAs or RootCAs fields on cloned configurations; instead create new configurations from scratch
- Implement application-level session invalidation when CA trust configurations change
- Use immutable configuration patterns where new tls.Config instances are created rather than modifying cloned copies
# Configuration example
# To disable session resumption as a temporary workaround,
# set SessionTicketsDisabled in your tls.Config:
#
# config := &tls.Config{
# SessionTicketsDisabled: true,
# // ... other configuration
# }
#
# After updating Go to a patched version, rebuild your application:
go build -o myapp ./cmd/myapp
# Verify Go version includes the security fix:
go version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
