Primary

Context

Go Encoding ASN.1 Memory Exhaustion Vulnerability

Vulnerability

Patched

A vulnerability exists in the Go programming language's standard library, specifically in the encoding/asn1 package, prior to version 1.24.8 and in version 1.25.0 prior to 1.25.2. The issue arises when the library parses DER (Distinguished Encoding Rules) payloads. The parsing process allocates memory before fully validating the payloads, allowing an attacker to create a large, empty DER payload that can lead to memory exhaustion. This vulnerability affects functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse.

Impact

Exploitation of this vulnerability can cause memory exhaustion, leading to increased memory usage and potential application crashes.

Remediation

Users can upgrade to Go versions 1.25.2 or 1.24.8 to address this vulnerability.

Added: Oct 29, 2025, 11:27 PM

Updated: Oct 29, 2025, 11:27 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.3

remediation

7.7

relevance

0.9

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.3

remediation

7.7

relevance

0.9

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go Encoding ASN.1 Memory Exhaustion Vulnerability

Vulnerability

Impact

Remediation

Affected Products

golang/encoding/asn1

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating