TLS 1.3 Info Disclosure in Go TLS Library (Pre 1.22)
CVE-2025-61730 Published on January 28, 2026
Handshake messages may be processed at the incorrect encryption level in crypto/tls
During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.
Vulnerability Analysis
CVE-2025-61730 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Products Associated with CVE-2025-61730
Want to know whenever a new CVE is published for GoLang Go? stack.watch will email you.
Affected Versions
Go standard library crypto/tls:- Before 1.24.12 is affected.
- Version 1.25.0 and below 1.25.6 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.