Critical Go Vulnerabilities Patched in 1.25.6 and 1.24.12 Releases

Related

Hackers Exploit Critical Auth Bypass in Gitea Docker Image

What happened Hackers are actively exploiting a critical authentication bypass...

Zimbra Urges Customers to Patch Critical Web Client XSS Flaw

What happened Zimbra urged customers to patch a critical stored...

Progress Urges ShareFile Customers to Shut Down Servers Over Credible Threat

What happened Progress Software warned ShareFile customers using Storage Zone...

Ubiquiti Discloses 25 Security Flaws Across UniFi Ecosystem

What happened Ubiquiti disclosed 25 security vulnerabilities affecting products across...

AirDrop and Quick Share Flaws Allow Attackers to Crash Nearby Devices

What happened Security researchers disclosed multiple vulnerabilities affecting Apple AirDrop...

Share

What happened

The Go programming language team released emergency updates Go 1.25.6 and Go 1.24.12 to patch six high-impact security vulnerabilities affecting the standard library and toolchain. External researchers credited for these discoveries include Jakub Ciolek, jub0bs, Coia Prant (rbqvq), RyotaK (GMO Flatt Security), and splitline (DEVCORE). Vulnerabilities included memory exhaustion in net/http’s Request.ParseForm, super-linear filename indexing in archive/zip leading to DoS, unsafe CgoPkgConfig execution enabling arbitrary code, VCS toolchain misinterpretation allowing file overwrites, and TLS session handling flaws exposing session ticket keys. Exploitation could affect web servers, cryptographic tools, and build systems using Go modules, potentially leading to denial-of-service or code execution on unpatched environments.

Who is affected

Developers and enterprises relying on Go 1.24.x or 1.25.x in production systems, including web servers, cryptography tools, and CI/CD pipelines, are directly affected. Any applications built on these versions without the latest patches face potential DoS or remote code execution risks.

Why CISOs should care

Unpatched language runtime vulnerabilities pose supply chain and operational risks. Exploitation could compromise enterprise applications, disrupt services, and enable injection of malicious code into downstream builds.

3 practical actions

  • Upgrade Go immediately: Update to Go 1.25.6 or Go 1.24.12 and rebuild binaries to mitigate DoS and code execution risks.
  • Audit dependencies and builds: Scan all Go modules and CI/CD pipelines for unpatched or vulnerable versions.
  • Monitor runtime behavior: Watch for excessive memory allocations, abnormal archive processing, or suspicious TLS handshake anomalies.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.